PurpCode: Reasoning for Safer Code Generation
This addresses the need for safer code generation in AI models to prevent vulnerabilities and malicious activities, representing a novel method for a known bottleneck in cybersecurity.
The paper tackles the problem of generating secure code and defending against malicious cyberactivities by introducing PurpCode, a post-training recipe that trains reasoning models in two stages, resulting in a model that demonstrates state-of-the-art cybersafety and reduces overrefusal rates while preserving utility.
We introduce PurpCode, the first post-training recipe for training safe code reasoning models towards generating secure code and defending against malicious cyberactivities. PurpCode trains a reasoning model in two stages: (i) Rule Learning, which explicitly teaches the model to reference cybersafety rules to generate vulnerability-free code and to avoid facilitating malicious cyberactivities; and (ii) Reinforcement Learning, which optimizes model safety and preserves model utility through diverse, multi-objective reward mechanisms. To empower the training pipelines with comprehensive cybersafety data, we conduct internal red-teaming to synthesize comprehensive and high-coverage prompts based on real-world tasks for inducing unsafe cyberactivities in the model. Based on PurpCode, we develop a reasoning-based coding model, namely PurpCode-32B, which demonstrates state-of-the-art cybersafety, outperforming various frontier models. Meanwhile, our alignment method decreases the model overrefusal rates in both general and cybersafety-specific scenarios, while preserving model utility in both code generation and common security knowledge.