Post
2172
# SecureCode: Security-Aware Code Models
**A collection of 8 code models (3B–20B) trained to behave like a security reviewer.**
## The Problem
Code assistants frequently recommend patterns that pass tests but fail security review—string-built SQL, brittle auth logic, unsafe parsing, insecure defaults, and more. I built SecureCode to address this gap.
## What SecureCode Does
- **Identify vulnerable patterns** and explain why they're risky
- **Outline plausible abuse paths** (defensive framing)
- **Propose secure rewrites** (drop-in replacements where possible)
- **Include defense-in-depth guidance** + regression tests/checks
## Resources
| Resource | Link |
|----------|------|
| Models | https://huggingface.co/collections/scthornton/securecode |
| Dataset | scthornton/securecode (2,185 examples) |
| Paper | https://arxiv.org/abs/2512.18542 |
## How to Test It
Copy and paste this prompt with your code:
## Dataset Coverage
SecureCode covers both traditional and emerging security domains:
- **Traditional web security** (OWASP Top 10 2021)
- **AI/ML security** (OWASP LLM Top 10 2025): prompt injection, RAG poisoning, model extraction, agentic AI patterns
## We Want Your Feedback
We're looking for real-world contributions:
- **Real snippets**: Share code that "slipped through review once" (sanitized is fine)
- **False positives/negatives**: What didn't work as expected?
- **CVE-grounded examples**: New vulnerability patterns you've encountered
**Please include**: language/framework + what the correct remediation looks like in your environment.
---
**Have contributions or suggestions?** I'd be happy to hear them. Thanks for your support!
**A collection of 8 code models (3B–20B) trained to behave like a security reviewer.**
## The Problem
Code assistants frequently recommend patterns that pass tests but fail security review—string-built SQL, brittle auth logic, unsafe parsing, insecure defaults, and more. I built SecureCode to address this gap.
## What SecureCode Does
- **Identify vulnerable patterns** and explain why they're risky
- **Outline plausible abuse paths** (defensive framing)
- **Propose secure rewrites** (drop-in replacements where possible)
- **Include defense-in-depth guidance** + regression tests/checks
## Resources
| Resource | Link |
|----------|------|
| Models | https://huggingface.co/collections/scthornton/securecode |
| Dataset | scthornton/securecode (2,185 examples) |
| Paper | https://arxiv.org/abs/2512.18542 |
## How to Test It
Copy and paste this prompt with your code:
You are a senior application security engineer. Review the code below.
Output:
(1) findings with severity,
(2) likely exploit scenarios (high level),
(3) secure rewrite,
(4) defense-in-depth recommendations,
(5) regression tests/checks.
Code: `...`## Dataset Coverage
SecureCode covers both traditional and emerging security domains:
- **Traditional web security** (OWASP Top 10 2021)
- **AI/ML security** (OWASP LLM Top 10 2025): prompt injection, RAG poisoning, model extraction, agentic AI patterns
## We Want Your Feedback
We're looking for real-world contributions:
- **Real snippets**: Share code that "slipped through review once" (sanitized is fine)
- **False positives/negatives**: What didn't work as expected?
- **CVE-grounded examples**: New vulnerability patterns you've encountered
**Please include**: language/framework + what the correct remediation looks like in your environment.
---
**Have contributions or suggestions?** I'd be happy to hear them. Thanks for your support!