@tereza_tizkova: Our secret scanning checks code for accidentally-committed credentials (API keys, passwords, tokens). This is ofc prone…
Summary
Fine-tuned two small LoRA adapters on Qwen 3.6 35B A3B to improve secret scanning by catching false positives and false negatives, beating larger models like GPT-5.5 and Opus 4.8.
View Cached Full Text
Cached at: 07/02/26, 02:17 AM
Our secret scanning checks code for accidentally-committed credentials (API keys, passwords, tokens).
This is ofc prone to missing secrets or flagging safe code as risky. So we fine-tuned two small LoRA adapters (Qwen 3.6 35B A3B) to catch both false-positives and false-negatives in the scanning. Both beat GPT-5.5 and Opus 4.8 on our repo-level holdout.
Open weights on @huggingface: ‣ Risk: http://huggingface.co/factoryai/shield-risk-r16-c15… ‣ Downgrade: http://huggingface.co/factoryai/shield-dg-r64-c15…
factoryai/shield-risk-r16-c15 · Hugging Face
Source: https://huggingface.co/factoryai/shield-risk-r16-c15
https://huggingface.co/factoryai/shield-risk-r16-c15#droid-shield—risk-missed-secret-fallbackDroid Shield - Risk (missed-secret fallback)
Flags likely secrets the deterministic scanner MISSED (false negatives).
This repo contains a PEFT LoRA (r=16,alpha=32) forQwen/Qwen3\.6\-35B\-A3B, used by Droid Shield 2.0. It targets the base text tower and must be applied on top of the base weights; it is not a standalone model.
https://huggingface.co/factoryai/shield-risk-r16-c15#the-contractThe contract
This adapter was trained against an exact prompt and I/O schema. Sending anything else may degrade it silently. All three pieces below are part of the trained-model contract.
https://huggingface.co/factoryai/shield-risk-r16-c15#1-system-message1. System message
Send the contents ofsystem\-prompt\.txtverbatimas the system message. The exact bytes matter.
sha256\(system\-prompt\.txt\)=d475080b8357748aa5c18853cb89b528a85547dae8df07559ae94bf58fcaa164
Caveat: the shipped system prompt intentionally refers to “Droid Shield” because these adapters were trained for Factory’s Droid Shield workflow. Customers repurposing the adapter may want different branding or framing; validate any prompt edits because changing the trained contract can change scores.
https://huggingface.co/factoryai/shield-risk-r16-c15#2-user-message2. User message
A single JSON object, serialized as pretty-printed JSON with 2-space indentation and non-ASCII preserved (canonical form: JSJSON\.stringify\(value, null, 2\)), with these keys:
extension: the file extensionlines: a small ordered window of source linesfocus\_line: the zero-based index of the candidate line withinlines
https://huggingface.co/factoryai/shield-risk-r16-c15#3-assistant-output3. Assistant output
Strict JSON,verdict first, no thinking/reasoning text:
{"verdict": "S", "reason": "short natural-language reason grounded in the input"}
verdictis exactly one of:
S: no actionable missed-secret risk (safe placeholder, test, docs, or public identifier)B: likely a real credential missed by the regex; warn the user about a possible false negative
https://huggingface.co/factoryai/shield-risk-r16-c15#decoding-requirementsDecoding requirements
- Deterministic: greedy /
temperature = 0(do\_sample = false). The shippedgeneration\_config\.jsonis set to greedy for this reason. - No thinking: the training targets contain no
<think\>blocks. The bundled chat template defaults to opening a thinking turn, so you must disable it (with the bundled template, passenable\_thinking=False). The assistant turn must start with no open<think\>block so the model emits the verdict JSON directly; otherwise the verdict-first contract and the logprob score break. - Constrain the outputto the
\{verdict, reason\}object (a JSON-schema or grammar-constrained decode is strongly recommended). - Score: the calibrated signal is
P\(B\)read from the token logprobs at the verdict position, renormalized over the two verdict tokens:P\(B\) = exp\(logprob\_B\) / \(exp\(logprob\_S\) \+ exp\(logprob\_B\)\). Request the top-2 logprobs at that token. Both tasks are ranked byP\(B\)= “treat as a real secret”.
https://huggingface.co/factoryai/shield-risk-r16-c15#operating-pointOperating point
The adapter emits a probability; thedecision threshold is not baked in. It is selected downstream and frozen on a held-out split:
- Recall-favoring. Downstream selects the threshold that maximizes recall subject to a false-positive-rate ceiling (Wilson upper confidence bound), chosen on a held-out split and then frozen.
https://huggingface.co/factoryai/shield-risk-r16-c15#loadingLoading
This is a standard PEFT LoRA (fw\_lora\_layout: hf\_peft\_v1) whose target modules match the base text tower, so it loads with any stack that supports PEFT LoRA on top ofQwen/Qwen3\.6\-35B\-A3B(e.g. transformers + peft, vLLM, TGI, Fireworks). Then drive it with the contract above:system\-prompt\.txtas the system message, the JSON user message, greedy decoding, thinking off. Two things that bite:
- The base is a multimodal
Qwen3\_5MoeForConditionalGenerationarch, so load the full base and apply the adapter on top; the LoRA only touches the language tower. - The runtime needs an arch new enough to know
qwen3\_5\_moe(for example,transformers \>= 4\.57).
https://huggingface.co/factoryai/shield-risk-r16-c15#provenance–licenseProvenance & license
- Base:
Qwen/Qwen3\.6\-35B\-A3B(Fireworks training baseqwen3p6\-35b\-a3b). - Training/eval pipeline lives in the
factorymonorepo underfinetune/. - This adapter inherits the base model’s license and is published as a Factory artifact.
Factory (@FactoryAI): Introducing Droid Shield 2.0: learned secret detection for safer autonomous engineering at scale.
Similar Articles
@lqiao: This is exactly why we believe in customization. Quick context: Factory's original secret scanner was deterministic, so…
Factory's Droid Shield 2.0 uses two small post-trained models for secret detection, outperforming GPT-5.5 and Opus 4.8 on this task while being faster and cheaper.
@no_stp_on_snek: btw this was my loop. as you can see i didn't put much thought into it (typos and all), just a side thing to assess the…
Release of Qwopus3.6-27B-v2-MTP, a fine-tuned multi-token prediction reasoning model based on Qwen3.6-27B, optimized for coding, DevOps, and math tasks with improved generation speed.
@0x0SojalSec: fully uncensored Cybersecurity-specialized model tuned on exploits, pentesting and Run locally on MacBook, delivers exp…
A fully uncensored cybersecurity-specialized AI model fine-tuned on exploits and pentesting data, designed to run locally on consumer hardware with multiple quantization options, offering expert offensive and defensive insights.
I got paranoid about OpenClaw skills injecting crap into my system prompt, so I built a quarantine pipeline with two LLMs as reviewers (93.75% detection, zero false negatives)
A developer built a quarantine pipeline using two LLM reviewers (Claude and Codex) to detect injection attacks in OpenClaw skills, achieving 93.75% detection rate with zero false negatives. The system uses a dual mandate of checklist-based pattern matching and open analysis to catch both known and novel injection techniques.
We open-sourced Chaperone-Thinking-LQ-1.0 — a 4-bit GPTQ + QLoRA fine-tuned DeepSeek-R1-32B that hits 84% on MedQA in ~20GB[N]
EmpirischTech released Chaperone-Thinking-LQ-1.0, a 4-bit GPTQ + QLoRA fine-tuned DeepSeek-R1-32B that achieves 84% on MedQA in ~20GB, enabling on-prem healthcare deployment.