From 213ab902cd6804432695641682bd4f5ec3826886 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Wed, 6 May 2026 12:04:59 +0100
Subject: [PATCH] Shared: Fix for 'api_tok'.

---
 rust/ql/test/library-tests/sensitivedata/test.rs                | 2 +-
 .../codeql/concepts/internal/SensitiveDataHeuristics.qll        | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/rust/ql/test/library-tests/sensitivedata/test.rs b/rust/ql/test/library-tests/sensitivedata/test.rs
index a85db97fb72..1e1eca6a42b 100644
--- a/rust/ql/test/library-tests/sensitivedata/test.rs
+++ b/rust/ql/test/library-tests/sensitivedata/test.rs
@@ -58,7 +58,7 @@ fn test_passwords(
 	sink(oauth); // $ sensitive=password
 	sink(one_time_code); // $ MISSING: sensitive=password
 	sink(api_token); // $ sensitive=password
-	sink(api_tok); // $ MISSING: sensitive=password
+	sink(api_tok); // $ sensitive=password
 
 	sink(ms); // $ MISSING: sensitive=password
 	sink(ms.password.as_str()); // $ sensitive=password
diff --git a/shared/concepts/codeql/concepts/internal/SensitiveDataHeuristics.qll b/shared/concepts/codeql/concepts/internal/SensitiveDataHeuristics.qll
index 0f66d5b6c4f..9cc414ef85f 100644
--- a/shared/concepts/codeql/concepts/internal/SensitiveDataHeuristics.qll
+++ b/shared/concepts/codeql/concepts/internal/SensitiveDataHeuristics.qll
@@ -76,7 +76,7 @@ module HeuristicNames {
   string maybePassword() {
     result =
       "(?is).*(pass(wd|word|code|.?phrase)(?!.*question)|(auth(entication|ori[sz]ation)?).?key|oauth|"
-        + "api.?(key|token)|([_-]|\\b)mfa([_-]|\\b)).*"
+        + "api.?(key|tok)|([_-]|\\b)mfa([_-]|\\b)).*"
   }
 
   /**