Add detailed model card

README.md

@@ -1,202 +1,146 @@
 ---
+language:
+  - en
+license: llama2
 base_model: codellama/CodeLlama-7b-instruct-hf
-library_name: peft
+tags:
+  - code
+  - security
+  - peft
+  - lora
+  - qlora
+  - vulnerability-detection
+  - api-security
+  - causal-lm
+datasets:
+  - custom
+pipeline_tag: text-generation
 ---
 
-# Model Card for Model ID
-
-<!-- Provide a quick summary of what the model is/does. -->
+# API Security QLoRA — Code Llama 7B
 
+A QLoRA fine-tuned adapter on top of **CodeLlama-7b-instruct-hf**, trained to detect security vulnerabilities in API endpoint source code. Given a raw code snippet, the model produces a structured analysis identifying vulnerability type, severity, CWE, and a remediated version of the code.
 
+---
 
 ## Model Details
 
-### Model Description
-
-<!-- Provide a longer summary of what this model is. -->
-
-
-
-- **Developed by:** [More Information Needed]
-- **Funded by [optional]:** [More Information Needed]
-- **Shared by [optional]:** [More Information Needed]
-- **Model type:** [More Information Needed]
-- **Language(s) (NLP):** [More Information Needed]
-- **License:** [More Information Needed]
-- **Finetuned from model [optional]:** [More Information Needed]
-
-### Model Sources [optional]
-
-<!-- Provide the basic links for the model. -->
-
-- **Repository:** [More Information Needed]
-- **Paper [optional]:** [More Information Needed]
-- **Demo [optional]:** [More Information Needed]
-
-## Uses
-
-<!-- Address questions around how the model is intended to be used, including the foreseeable users of the model and those affected by the model. -->
-
-### Direct Use
-
-<!-- This section is for the model use without fine-tuning or plugging into a larger ecosystem/app. -->
-
-[More Information Needed]
-
-### Downstream Use [optional]
-
-<!-- This section is for the model use when fine-tuned for a task, or when plugged into a larger ecosystem/app -->
-
-[More Information Needed]
-
-### Out-of-Scope Use
-
-<!-- This section addresses misuse, malicious use, and uses that the model will not work well for. -->
-
-[More Information Needed]
-
-## Bias, Risks, and Limitations
-
-<!-- This section is meant to convey both technical and sociotechnical limitations. -->
-
-[More Information Needed]
-
-### Recommendations
-
-<!-- This section is meant to convey recommendations with respect to the bias, risk, and technical limitations. -->
-
-Users (both direct and downstream) should be made aware of the risks, biases and limitations of the model. More information needed for further recommendations.
-
-## How to Get Started with the Model
-
-Use the code below to get started with the model.
-
-[More Information Needed]
-
-## Training Details
-
-### Training Data
-
-<!-- This should link to a Dataset Card, perhaps with a short stub of information on what the training data is all about as well as documentation related to data pre-processing or additional filtering. -->
-
-[More Information Needed]
-
-### Training Procedure
-
-<!-- This relates heavily to the Technical Specifications. Content here should link to that section when it is relevant to the training procedure. -->
-
-#### Preprocessing [optional]
-
-[More Information Needed]
-
-
-#### Training Hyperparameters
-
-- **Training regime:** [More Information Needed] <!--fp32, fp16 mixed precision, bf16 mixed precision, bf16 non-mixed precision, fp16 non-mixed precision, fp8 mixed precision -->
-
-#### Speeds, Sizes, Times [optional]
-
-<!-- This section provides information about throughput, start/end time, checkpoint size if relevant, etc. -->
-
-[More Information Needed]
-
-## Evaluation
-
-<!-- This section describes the evaluation protocols and provides the results. -->
-
-### Testing Data, Factors & Metrics
-
-#### Testing Data
-
-<!-- This should link to a Dataset Card if possible. -->
-
-[More Information Needed]
-
-#### Factors
-
-<!-- These are the things the evaluation is disaggregating by, e.g., subpopulations or domains. -->
-
-[More Information Needed]
-
-#### Metrics
-
-<!-- These are the evaluation metrics being used, ideally with a description of why. -->
-
-[More Information Needed]
-
-### Results
-
-[More Information Needed]
-
-#### Summary
-
+| Property | Value |
+|---|---|
+| **Base Model** | `codellama/CodeLlama-7b-instruct-hf` |
+| **Fine-tuning Method** | QLoRA (4-bit NF4 quantization) |
+| **LoRA Rank (r)** | 16 |
+| **LoRA Alpha** | 32 |
+| **LoRA Dropout** | 0.05 |
+| **Target Modules** | `q_proj`, `k_proj`, `v_proj`, `o_proj` |
+| **Task** | Causal LM / Code Security Analysis |
+| **Training Steps** | 531 |
+| **Training Hardware** | Google Colab T4 (16GB VRAM) |
 
+---
 
-## Model Examination [optional]
+## Training Data
 
-<!-- Relevant interpretability work for the model goes here -->
+Fine-tuned on a custom dataset of **10,000 API-specific vulnerability samples** (synthetic + augmented) covering 19 vulnerability types mapped to OWASP API Top 10.
 
-[More Information Needed]
+### Language Distribution
 
-## Environmental Impact
+| Language | Share | Frameworks |
+|---|---|---|
+| Python | 46% | Flask, FastAPI, Django |
+| JavaScript | 25% | Express.js, NestJS |
+| Java | 15% | Spring Boot |
+| PHP / Go / Ruby / C# | 14% | Laravel, Gin, Rails, ASP.NET |
 
-<!-- Total emissions (in grams of CO2eq) and additional considerations, such as electricity usage, go here. Edit the suggested text below accordingly -->
+### Vulnerability Distribution
 
-Carbon emissions can be estimated using the [Machine Learning Impact calculator](https://mlco2.github.io/impact#compute) presented in [Lacoste et al. (2019)](https://arxiv.org/abs/1910.09700).
+| Vulnerability | Samples | CWE |
+|---|---|---|
+| SQL Injection | 2,425 | CWE-89 |
+| Mass Assignment | 1,307 | CWE-915 |
+| Path Traversal | 943 | CWE-22 |
+| IDOR | 860 | CWE-639 |
+| Broken Authorization | 792 | CWE-285 |
+| Command Injection | 600 | CWE-78 |
 
-- **Hardware Type:** [More Information Needed]
-- **Hours used:** [More Information Needed]
-- **Cloud Provider:** [More Information Needed]
-- **Compute Region:** [More Information Needed]
-- **Carbon Emitted:** [More Information Needed]
+### Severity Breakdown
 
-## Technical Specifications [optional]
+- **Critical (43%)**: RCE, SQLi, unauthorized admin access
+- **High (41%)**: Data leaks, IDOR, authorization bypass
+- **Medium / Clean (16%)**: XSS, input validation warnings, baseline clean samples
 
-### Model Architecture and Objective
+---
 
-[More Information Needed]
+## Usage
 
-### Compute Infrastructure
+```python
+from transformers import AutoTokenizer, AutoModelForCausalLM
+from peft import PeftModel
+import torch
 
-[More Information Needed]
+base_model_id = "codellama/CodeLlama-7b-instruct-hf"
+adapter_id    = "harsharajkumar273/api-security-qlora"
 
-#### Hardware
+tokenizer = AutoTokenizer.from_pretrained(adapter_id, use_fast=False)
 
-[More Information Needed]
+base = AutoModelForCausalLM.from_pretrained(
+    base_model_id,
+    torch_dtype=torch.float16,
+    device_map="auto",
+)
+model = PeftModel.from_pretrained(base, adapter_id)
+model.eval()
 
-#### Software
+code_snippet = """
+@app.route('/user/<int:user_id>')
+def get_user(user_id):
+    query = f"SELECT * FROM users WHERE id = {user_id}"
+    result = db.execute(query)
+    return jsonify(result)
+"""
 
-[More Information Needed]
+prompt = f"[INST] Analyze this API endpoint for security vulnerabilities:\n\n{code_snippet} [/INST]"
+inputs = tokenizer(prompt, return_tensors="pt").to(model.device)
 
-## Citation [optional]
+with torch.no_grad():
+    outputs = model.generate(**inputs, max_new_tokens=512, temperature=0.1)
 
-<!-- If there is a paper or blog post introducing the model, the APA and Bibtex information for that should go in this section. -->
+print(tokenizer.decode(outputs[0], skip_special_tokens=True))
+```
 
-**BibTeX:**
+---
 
-[More Information Needed]
+## Integration with API Security Scanner
 
-**APA:**
+This adapter is the default model in the [API Security Scanner](https://github.com/harsharajkumar/api-security) project. It is loaded automatically — no manual path configuration needed:
 
-[More Information Needed]
+```bash
+git clone https://github.com/harsharajkumar/api-security
+cd api-security
+pip install -r requirements.txt
+streamlit run app.py
+```
 
-## Glossary [optional]
+The scanner will download this adapter from the Hub on first run and cache it locally.
 
-<!-- If relevant, include terms and calculations in this section that can help readers understand the model or model card. -->
+---
 
-[More Information Needed]
+## Intended Use
 
-## More Information [optional]
+- Automated API security auditing in CI/CD pipelines
+- Developer tooling for identifying vulnerable endpoint patterns
+- Security research and OWASP API Top 10 education
 
-[More Information Needed]
+## Out of Scope
 
-## Model Card Authors [optional]
+- General-purpose code generation
+- Non-API code (UI components, data processing scripts, etc.)
+- Production security decisions without human review
 
-[More Information Needed]
+---
 
-## Model Card Contact
+## Credits
 
-[More Information Needed]
-### Framework versions
+Developed as part of **CS6380 — API Security Project**
 
-- PEFT 0.14.0
+**Authors:** Siddhanth Nilesh Jagtap · Tanuj Kenchannavar · Harsha Raj Kumar