diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-754/semmle/tests/ImproperCheckReturnValueScanf.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-754/semmle/tests/ImproperCheckReturnValueScanf.expected
new file mode 100644
index 00000000000..7ba0580ca90
--- /dev/null
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-754/semmle/tests/ImproperCheckReturnValueScanf.expected
@@ -0,0 +1,2 @@
+| test.cpp:23:3:23:7 | call to scanf | Unchecked return value for call to 'scanf'. |
+| test.cpp:41:3:41:7 | call to scanf | Unchecked return value for call to 'scanf'. |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-754/semmle/tests/ImproperCheckReturnValueScanf.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-754/semmle/tests/ImproperCheckReturnValueScanf.qlref
new file mode 100644
index 00000000000..f0cb9dd57c1
--- /dev/null
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-754/semmle/tests/ImproperCheckReturnValueScanf.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-754/ImproperCheckReturnValueScanf.ql
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-754/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-754/semmle/tests/test.cpp
new file mode 100644
index 00000000000..4389cb506a2
--- /dev/null
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-754/semmle/tests/test.cpp
@@ -0,0 +1,53 @@
+int scanf(const char *format, ...);
+int globalVal;
+int functionWork1() {
+  int i;
+  if (scanf("%i", i) == 1) // GOOD
+    return i;
+  else
+    return -1;
+}
+
+int functionWork1_() {
+  int i;
+  int r;
+  r = scanf("%i", i);
+  if (r == 1) // GOOD
+    return i;
+  else
+    return -1;
+}
+
+int functionWork1b() {
+  int i;
+  scanf("%i", i); // BAD
+  return i;
+}
+
+int functionWork2() {
+  int i = 0;
+  scanf("%i", i); // GOOD:the error can be determined by examining the initial value.
+  return i;
+}
+
+int functionWork2_() {
+  int i;
+  i = 0;
+  scanf("%i", i); // GOOD:the error can be determined by examining the initial value.
+  return i;
+}
+int functionWork2b() {
+  int i;
+  scanf("%i", i); // BAD
+  globalVal = i;
+  return 0;
+}
+
+void functionRunner() {
+  functionWork1();
+  functionWork1_();
+  functionWork1b();
+  functionWork2();
+  functionWork2_();
+  functionWork2b();
+}