diff --git a/ql/lib/semmle/go/security/AllocationSizeOverflowCustomizations.qll b/ql/lib/semmle/go/security/AllocationSizeOverflowCustomizations.qll
index 62bfd40f347..229fd0d38d3 100644
--- a/ql/lib/semmle/go/security/AllocationSizeOverflowCustomizations.qll
+++ b/ql/lib/semmle/go/security/AllocationSizeOverflowCustomizations.qll
@@ -49,7 +49,8 @@ module AllocationSizeOverflow {
   class MarshalingSource extends Source {
     MarshalingSource() {
       exists(MarshalingFunction marshal, DataFlow::CallNode call |
-        call = marshal.getACall() and
+        // Binding order tweak: start with marshalling function calls then work outwards:
+        pragma[only_bind_into](call) = marshal.getACall() and
         // rule out cases where we can tell that the result will always be small
         exists(FunctionInput inp | inp = marshal.getAnInput() | isBig(inp.getNode(call).asExpr())) and
         this = marshal.getOutput().getNode(call)
diff --git a/ql/src/Security/CWE-209/StackTraceExposure.ql b/ql/src/Security/CWE-209/StackTraceExposure.ql
index f908bf5581a..b3cb4107319 100644
--- a/ql/src/Security/CWE-209/StackTraceExposure.ql
+++ b/ql/src/Security/CWE-209/StackTraceExposure.ql
@@ -26,7 +26,10 @@ class DebugModeFlag extends FlagKind {
 
   bindingset[result]
   override string getAFlagName() {
-    result.regexpMatch("(?i).*(trace|debug|devel|(enable|disable|print)stack).*")
+    result
+        .toLowerCase()
+        .matches("%" + ["trace", "debug", "devel", "enablestack", "disablestack", "printstack"] +
+            "%")
   }
 }
 
diff --git a/ql/src/Security/CWE-295/DisabledCertificateCheck.ql b/ql/src/Security/CWE-295/DisabledCertificateCheck.ql
index c27c3bd9dc2..4a5a72b76ac 100644
--- a/ql/src/Security/CWE-295/DisabledCertificateCheck.ql
+++ b/ql/src/Security/CWE-295/DisabledCertificateCheck.ql
@@ -45,7 +45,7 @@ class InsecureCertificateFlag extends FlagKind {
 
   bindingset[result]
   override string getAFlagName() {
-    result.regexpMatch("(?i).*(selfCert|selfSign|validat|verif|trust).*")
+    result.toLowerCase().matches("%" + ["selfcert", "selfsign", "validat", "verif", "trust"] + "%")
   }
 }
 
diff --git a/ql/src/Security/CWE-327/InsecureTLS.ql b/ql/src/Security/CWE-327/InsecureTLS.ql
index 3f6c5378332..f8277226144 100644
--- a/ql/src/Security/CWE-327/InsecureTLS.ql
+++ b/ql/src/Security/CWE-327/InsecureTLS.ql
@@ -243,7 +243,9 @@ class LegacyTlsVersionFlag extends FlagKind {
   LegacyTlsVersionFlag() { this = "legacyTlsVersion" }
 
   bindingset[result]
-  override string getAFlagName() { result.regexpMatch("(?i).*(old|intermediate|legacy).*") }
+  override string getAFlagName() {
+    result.toLowerCase().matches("%" + ["old", "intermediate", "legacy"] + "%")
+  }
 }
 
 /**
diff --git a/ql/src/experimental/CWE-942/CorsMisconfiguration.ql b/ql/src/experimental/CWE-942/CorsMisconfiguration.ql
index cf3d8fffa49..4e4b452fb8e 100644
--- a/ql/src/experimental/CWE-942/CorsMisconfiguration.ql
+++ b/ql/src/experimental/CWE-942/CorsMisconfiguration.ql
@@ -22,7 +22,9 @@ class AllowedFlag extends FlagKind {
 
   bindingset[result]
   override string getAFlagName() {
-    result.regexpMatch("(?i).*(allow|match|check|debug|devel|insecure).*")
+    result
+        .toLowerCase()
+        .matches("%" + ["allow", "match", "check", "debug", "devel", "insecure"] + "%")
   }
 }