diff --git a/python/ql/src/Security/CWE-352/CSRFProtectionDisabled.ql b/python/ql/src/Security/CWE-352/CSRFProtectionDisabled.ql
index 44353c9b322..24917411fb4 100644
--- a/python/ql/src/Security/CWE-352/CSRFProtectionDisabled.ql
+++ b/python/ql/src/Security/CWE-352/CSRFProtectionDisabled.ql
@@ -18,6 +18,8 @@ from HTTP::Server::CsrfProtectionSetting s
 where
   s.getVerificationSetting() = false and
   not exists(HTTP::Server::CsrfLocalProtectionSetting p | p.csrfEnabled()) and
-  // rule out test code as this is a common place to turn off CSRF protection
+  // rule out test code as this is a common place to turn off CSRF protection.
+  // We don't use normal `TestScope` to find test files, since we also want to match
+  // a settings file such as `.../integration-tests/settings.py`
   not s.getLocation().getFile().getAbsolutePath().matches("%test%")
 select s, "Potential CSRF vulnerability due to forgery protection being disabled or weakened."