diff --git a/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.qll b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsQuery.qll
similarity index 98%
rename from java/ql/src/Security/CWE/CWE-016/SpringBootActuators.qll
rename to java/ql/lib/semmle/code/java/security/SpringBootActuatorsQuery.qll
index 195de7a1b8b..9aac9e4fc1a 100644
--- a/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.qll
+++ b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsQuery.qll
@@ -1,3 +1,5 @@
+/** Provides classes and predicates to reason about exposed actuators in Spring Boot. */
+
 import java
 
 /** The class `org.springframework.security.config.annotation.web.builders.HttpSecurity`. */
diff --git a/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.ql b/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.ql
index b700e691550..c74c3428423 100644
--- a/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.ql
+++ b/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.ql
@@ -12,7 +12,7 @@
  */
 
 import java
-import SpringBootActuators
+import semmle.code.java.security.SpringBootActuatorsQuery
 
 from PermitAllCall permitAllCall
 where permitAllCall.permitsSpringBootActuators()
diff --git a/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.expected b/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.expected
deleted file mode 100644
index f2874e3694d..00000000000
--- a/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.expected
+++ /dev/null
@@ -1,7 +0,0 @@
-| SpringBootActuators.java:6:88:6:120 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. |
-| SpringBootActuators.java:10:5:10:137 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. |
-| SpringBootActuators.java:14:5:14:149 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. |
-| SpringBootActuators.java:18:5:18:101 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. |
-| SpringBootActuators.java:22:5:22:89 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. |
-| SpringBootActuators.java:26:40:26:108 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. |
-| SpringBootActuators.java:30:5:30:113 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. |
diff --git a/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.qlref b/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.qlref
deleted file mode 100644
index abd5f2a7599..00000000000
--- a/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.qlref
+++ /dev/null
@@ -1 +0,0 @@
-Security/CWE/CWE-016/SpringBootActuators.ql
diff --git a/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.expected b/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.expected
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.java b/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.java
similarity index 89%
rename from java/ql/test/query-tests/security/CWE-016/SpringBootActuators.java
rename to java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.java
index da59919fbe6..71856f5c1a9 100644
--- a/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.java
+++ b/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.java
@@ -1,33 +1,33 @@
 import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 
-public class SpringBootActuators {
+public class SpringBootActuatorsTest {
   protected void configure(HttpSecurity http) throws Exception {
-    http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests(requests -> requests.anyRequest().permitAll());
+    http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests(requests -> requests.anyRequest().permitAll()); // $ hasExposedSpringBootActuator
   }
 
   protected void configure2(HttpSecurity http) throws Exception {
-    http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll();
+    http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); // $ hasExposedSpringBootActuator
   }
 
   protected void configure3(HttpSecurity http) throws Exception {
-    http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll();
+    http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); // $ hasExposedSpringBootActuator
   }
 
   protected void configure4(HttpSecurity http) throws Exception {
-    http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest().permitAll();
+    http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest().permitAll(); // $ hasExposedSpringBootActuator
   }
 
   protected void configure5(HttpSecurity http) throws Exception {
-    http.authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll();
+    http.authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); // $ hasExposedSpringBootActuator
   }
 
   protected void configure6(HttpSecurity http) throws Exception {
-    http.authorizeRequests(requests -> requests.requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll());
+    http.authorizeRequests(requests -> requests.requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll()); // $ hasExposedSpringBootActuator
   }
 
   protected void configure7(HttpSecurity http) throws Exception {
-    http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest().permitAll();
+    http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest().permitAll(); // $ hasExposedSpringBootActuator
   }
 
   protected void configureOk1(HttpSecurity http) throws Exception {
diff --git a/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.ql b/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.ql
new file mode 100644
index 00000000000..f397fdb79aa
--- /dev/null
+++ b/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.ql
@@ -0,0 +1,18 @@
+import java
+import semmle.code.java.security.SpringBootActuatorsQuery
+import utils.test.InlineExpectationsTest
+
+module SpringBootActuatorsTest implements TestSig {
+  string getARelevantTag() { result = "hasExposedSpringBootActuator" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasExposedSpringBootActuator" and
+    exists(PermitAllCall permitAllCall | permitAllCall.permitsSpringBootActuators() |
+      permitAllCall.getLocation() = location and
+      element = permitAllCall.toString() and
+      value = ""
+    )
+  }
+}
+
+import MakeTest<SpringBootActuatorsTest>