diff --git a/swift/ql/test/query-tests/Security/CWE-020/SemiAnchoredRegex.swift b/swift/ql/test/query-tests/Security/CWE-020/SemiAnchoredRegex.swift
index b42664367c7..d5d2f68be48 100644
--- a/swift/ql/test/query-tests/Security/CWE-020/SemiAnchoredRegex.swift
+++ b/swift/ql/test/query-tests/Security/CWE-020/SemiAnchoredRegex.swift
@@ -47,63 +47,63 @@ class NSString : NSObject {
 
 func tests(input: String) throws {
 	_ = try Regex("^a|").firstMatch(in: input)
-	_ = try Regex("^a|b").firstMatch(in: input) // $ Alert // BAD (missing anchor)
+	_ = try Regex("^a|b").firstMatch(in: input) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
 	_ = try Regex("a|^b").firstMatch(in: input)
 	_ = try Regex("^a|^b").firstMatch(in: input)
-	_ = try Regex("^a|b|c").firstMatch(in: input) // $ Alert // BAD (missing anchor)
+	_ = try Regex("^a|b|c").firstMatch(in: input) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
 	_ = try Regex("a|^b|c").firstMatch(in: input)
 	_ = try Regex("a|b|^c").firstMatch(in: input)
 	_ = try Regex("^a|^b|c").firstMatch(in: input)
 
 	_ = try Regex("(^a)|b").firstMatch(in: input)
-	_ = try Regex("^a|(b)").firstMatch(in: input) // $ Alert // BAD (missing anchor)
+	_ = try Regex("^a|(b)").firstMatch(in: input) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
 	_ = try Regex("^a|(^b)").firstMatch(in: input)
-	_ = try Regex("^(a)|(b)").firstMatch(in: input) // $ Alert // BAD (missing anchor)
+	_ = try Regex("^(a)|(b)").firstMatch(in: input) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
 
-	_ = try Regex("a|b$").firstMatch(in: input) // $ Alert // BAD (missing anchor)
+	_ = try Regex("a|b$").firstMatch(in: input) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
 	_ = try Regex("a$|b").firstMatch(in: input)
 	_ = try Regex("a$|b$").firstMatch(in: input)
-	_ = try Regex("a|b|c$").firstMatch(in: input) // $ Alert // BAD (missing anchor)
+	_ = try Regex("a|b|c$").firstMatch(in: input) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
 	_ = try Regex("a|b$|c").firstMatch(in: input)
 	_ = try Regex("a$|b|c").firstMatch(in: input)
 	_ = try Regex("a|b$|c$").firstMatch(in: input)
 
 	_ = try Regex("a|(b$)").firstMatch(in: input)
-	_ = try Regex("(a)|b$").firstMatch(in: input) // $ Alert // BAD (missing anchor)
+	_ = try Regex("(a)|b$").firstMatch(in: input) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
 	_ = try Regex("(a$)|b$").firstMatch(in: input)
-	_ = try Regex("(a)|(b)$").firstMatch(in: input) // $ Alert // BAD (missing anchor)
+	_ = try Regex("(a)|(b)$").firstMatch(in: input) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
 
-	_ = try Regex(#"^good.com|better.com"#).firstMatch(in: input) // $ Alert // BAD (missing anchor)
-	_ = try Regex(#"^good\.com|better\.com"#).firstMatch(in: input) // $ Alert // BAD (missing anchor)
-	_ = try Regex(#"^good\\.com|better\\.com"#).firstMatch(in: input) // $ Alert // BAD (missing anchor)
-	_ = try Regex(#"^good\\\.com|better\\\.com"#).firstMatch(in: input) // $ Alert // BAD (missing anchor)
-	_ = try Regex(#"^good\\\\.com|better\\\\.com"#).firstMatch(in: input) // $ Alert // BAD (missing anchor)
+	_ = try Regex(#"^good.com|better.com"#).firstMatch(in: input) // $ Alert[swift/missing-regexp-anchor] Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
+	_ = try Regex(#"^good\.com|better\.com"#).firstMatch(in: input) // $ Alert[swift/missing-regexp-anchor] Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
+	_ = try Regex(#"^good\\.com|better\\.com"#).firstMatch(in: input) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
+	_ = try Regex(#"^good\\\.com|better\\\.com"#).firstMatch(in: input) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
+	_ = try Regex(#"^good\\\\.com|better\\\\.com"#).firstMatch(in: input) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
 
-	_ = try Regex("^foo|bar|baz$").firstMatch(in: input) // $ Alert // BAD (missing anchor)
+	_ = try Regex("^foo|bar|baz$").firstMatch(in: input) // $ Alert[swift/missing-regexp-anchor] Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
 	_ = try Regex("^foo|%").firstMatch(in: input)
 }
 
 func realWorld(input: String) throws {
 	// real-world examples that have been anonymized a bit
 	// the following are bad:
-	_ = try Regex(#"(\.xxx)|(\.yyy)|(\.zzz)$"#).firstMatch(in: input) // $ Alert // BAD (missing anchor)
-	_ = try Regex(#"(^left|right|center)\sbottom$"#).firstMatch(in: input) // $ Alert // BAD (missing anchor)
-	_ = try Regex(#"\.xxx|\.yyy|\.zzz$"#).ignoresCase().firstMatch(in: input) // $ Alert // BAD (missing anchor)
-	_ = try Regex(#"\.xxx|\.yyy|\.zzz$"#).ignoresCase().firstMatch(in: input) // $ Alert // BAD (missing anchor)
-	_ = try Regex(#"\.xxx|\.yyy|zzz$"#).firstMatch(in: input) // $ Alert // BAD (missing anchor)
-	_ = try Regex(#"^([A-Z]|xxx[XY]$)"#).firstMatch(in: input) // $ Alert // BAD (missing anchor)
-	_ = try Regex(#"^(xxx yyy zzz)|(xxx yyy)"#).ignoresCase().firstMatch(in: input) // $ Alert // BAD (missing anchor)
-	_ = try Regex(#"^(xxx yyy zzz)|(xxx yyy)|(1st( xxx)? yyy)|xxx|1st"#).ignoresCase().firstMatch(in: input) // $ Alert // BAD (missing anchor)
-	_ = try Regex(#"^(xxx:)|(yyy:)|(zzz:)"#).firstMatch(in: input) // $ Alert // BAD (missing anchor)
-	_ = try Regex(#"^(xxx?:)|(yyy:zzz\/)"#).firstMatch(in: input) // $ Alert // BAD (missing anchor)
-	_ = try Regex(#"^@media|@page"#).firstMatch(in: input) // $ Alert // BAD (missing anchor)
-	_ = try Regex(#"^\s*(xxx?|yyy|zzz):|xxx:yyy"#).firstMatch(in: input) // $ Alert // BAD (missing anchor)
-	_ = try Regex(#"^click|mouse|touch"#).firstMatch(in: input) // $ Alert // BAD (missing anchor)
-	_ = try Regex(#"^http://good\.com|http://better\.com"#).firstMatch(in: input) // $ Alert // BAD (missing anchor)
-	_ = try Regex(#"^https?://good\.com|https?://better\.com"#).firstMatch(in: input) // $ Alert // BAD (missing anchor)
-	_ = try Regex(#"^mouse|touch|click|contextmenu|drop|dragover|dragend"#).firstMatch(in: input) // $ Alert // BAD (missing anchor)
-	_ = try Regex(#"^xxx:|yyy:"#).ignoresCase().firstMatch(in: input) // $ Alert // BAD (missing anchor)
-	_ = try Regex(#"_xxx|_yyy|_zzz$"#).firstMatch(in: input) // $ Alert // BAD (missing anchor)
+	_ = try Regex(#"(\.xxx)|(\.yyy)|(\.zzz)$"#).firstMatch(in: input) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
+	_ = try Regex(#"(^left|right|center)\sbottom$"#).firstMatch(in: input) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
+	_ = try Regex(#"\.xxx|\.yyy|\.zzz$"#).ignoresCase().firstMatch(in: input) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
+	_ = try Regex(#"\.xxx|\.yyy|\.zzz$"#).ignoresCase().firstMatch(in: input) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
+	_ = try Regex(#"\.xxx|\.yyy|zzz$"#).firstMatch(in: input) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
+	_ = try Regex(#"^([A-Z]|xxx[XY]$)"#).firstMatch(in: input) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
+	_ = try Regex(#"^(xxx yyy zzz)|(xxx yyy)"#).ignoresCase().firstMatch(in: input) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
+	_ = try Regex(#"^(xxx yyy zzz)|(xxx yyy)|(1st( xxx)? yyy)|xxx|1st"#).ignoresCase().firstMatch(in: input) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
+	_ = try Regex(#"^(xxx:)|(yyy:)|(zzz:)"#).firstMatch(in: input) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
+	_ = try Regex(#"^(xxx?:)|(yyy:zzz\/)"#).firstMatch(in: input) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
+	_ = try Regex(#"^@media|@page"#).firstMatch(in: input) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
+	_ = try Regex(#"^\s*(xxx?|yyy|zzz):|xxx:yyy"#).firstMatch(in: input) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
+	_ = try Regex(#"^click|mouse|touch"#).firstMatch(in: input) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
+	_ = try Regex(#"^http://good\.com|http://better\.com"#).firstMatch(in: input) // $ Alert[swift/missing-regexp-anchor] Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
+	_ = try Regex(#"^https?://good\.com|https?://better\.com"#).firstMatch(in: input) // $ Alert[swift/missing-regexp-anchor] Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
+	_ = try Regex(#"^mouse|touch|click|contextmenu|drop|dragover|dragend"#).firstMatch(in: input) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
+	_ = try Regex(#"^xxx:|yyy:"#).ignoresCase().firstMatch(in: input) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
+	_ = try Regex(#"_xxx|_yyy|_zzz$"#).firstMatch(in: input) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
 	_ = try Regex(#"em|%$"#).firstMatch(in: input) // BAD (missing anchor) [NOT DETECTED] - not flagged at the moment due to the anchor not being for letters
 
 	// the following are MAYBE OK due to apparent complexity; not flagged
diff --git a/swift/ql/test/query-tests/Security/CWE-020/UnanchoredUrlRegex.swift b/swift/ql/test/query-tests/Security/CWE-020/UnanchoredUrlRegex.swift
index 3a087d70945..d096338401f 100644
--- a/swift/ql/test/query-tests/Security/CWE-020/UnanchoredUrlRegex.swift
+++ b/swift/ql/test/query-tests/Security/CWE-020/UnanchoredUrlRegex.swift
@@ -59,36 +59,36 @@ func tests(url: String, secure: Bool) throws {
 	let input = "http://evil.com/?http://good.com"
 	let inputRange = NSMakeRange(0, input.utf16.count)
 
-	_ = try NSRegularExpression(pattern: "https?://good.com").matches(in: input, range: inputRange) // $ Alert // BAD (missing anchor)
-	_ = try NSRegularExpression(pattern: "https?://good.com").matches(in: input, range: inputRange) // $ Alert // BAD (missing anchor)
-	_ = try NSRegularExpression(pattern: "^https?://good.com").matches(in: input, range: inputRange) // $ Alert // BAD (missing post-anchor)
-	_ = try NSRegularExpression(pattern: "(^https?://good1.com)|(^https?://good2.com)").matches(in: input, range: inputRange) // $ Alert // BAD (missing post-anchor)
-	_ = try NSRegularExpression(pattern: "(https?://good.com)|(^https?://goodie.com)").matches(in: input, range: inputRange) // $ Alert // BAD (missing anchor)
+	_ = try NSRegularExpression(pattern: "https?://good.com").matches(in: input, range: inputRange) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
+	_ = try NSRegularExpression(pattern: "https?://good.com").matches(in: input, range: inputRange) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
+	_ = try NSRegularExpression(pattern: "^https?://good.com").matches(in: input, range: inputRange) // $ Alert[swift/missing-regexp-anchor] // BAD (missing post-anchor)
+	_ = try NSRegularExpression(pattern: "(^https?://good1.com)|(^https?://good2.com)").matches(in: input, range: inputRange) // $ Alert[swift/missing-regexp-anchor] // BAD (missing post-anchor)
+	_ = try NSRegularExpression(pattern: "(https?://good.com)|(^https?://goodie.com)").matches(in: input, range: inputRange) // $ Alert[swift/missing-regexp-anchor] Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
 
-	_ = try NSRegularExpression(pattern: #"https?:\/\/good.com"#).matches(in: input, range: inputRange) // $ Alert // BAD (missing anchor)
-	_ = try NSRegularExpression(pattern: "https?://good.com").matches(in: input, range: inputRange) // $ Alert // BAD (missing anchor)
+	_ = try NSRegularExpression(pattern: #"https?:\/\/good.com"#).matches(in: input, range: inputRange) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
+	_ = try NSRegularExpression(pattern: "https?://good.com").matches(in: input, range: inputRange) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
 
-	if let _ = try NSRegularExpression(pattern: "https?://good.com").firstMatch(in: input, range: inputRange) { } // $ Alert // BAD (missing anchor)
+	if let _ = try NSRegularExpression(pattern: "https?://good.com").firstMatch(in: input, range: inputRange) { } // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
 
 	let input2 = "something"
 	let input2Range = NSMakeRange(0, input2.utf16.count)
 	_ = try NSRegularExpression(pattern: "other").firstMatch(in: input2, range: input2Range) // OK
 	_ = try NSRegularExpression(pattern: "x.commissary").firstMatch(in: input2, range: input2Range) // OK
 
-	_ = try NSRegularExpression(pattern: #"https?://good.com"#).firstMatch(in: input, range: inputRange) // $ Alert // BAD (missing anchor)
-	_ = try NSRegularExpression(pattern: #"https?://good.com:8080"#).firstMatch(in: input, range: inputRange) // $ Alert // BAD (missing anchor)
+	_ = try NSRegularExpression(pattern: #"https?://good.com"#).firstMatch(in: input, range: inputRange) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
+	_ = try NSRegularExpression(pattern: #"https?://good.com:8080"#).firstMatch(in: input, range: inputRange) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
 
 	let trustedUrlRegexs = [
-		"https?://good.com", // $ Alert // BAD (missing anchor), referenced below
-		#"https?:\/\/good.com"#, // $ Alert // BAD (missing anchor), referenced below
-		"^https?://good.com" // $ Alert // BAD (missing post-anchor), referenced below
+		"https?://good.com", // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor), referenced below
+		#"https?:\/\/good.com"#, // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor), referenced below
+		"^https?://good.com" // $ Alert[swift/missing-regexp-anchor] // BAD (missing post-anchor), referenced below
 	]
 	for trustedUrlRegex in trustedUrlRegexs {
 		if let _ = try NSRegularExpression(pattern: trustedUrlRegex).firstMatch(in: input, range: inputRange) { }
 	}
 
 	let trustedUrlRegexs2 = [
-		"https?://good.com", // $ Alert // BAD (missing anchor), referenced below
+		"https?://good.com", // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor), referenced below
 	]
 	if let _ = try NSRegularExpression(pattern: trustedUrlRegexs2[0]).firstMatch(in: input, range: inputRange) { }
 
@@ -98,13 +98,13 @@ func tests(url: String, secure: Bool) throws {
 	for _ in notUsedUrlRegexs {
 	}
 
-	_ = try NSRegularExpression(pattern: #"https?:\/\/good.com\/([0-9]+)"#).matches(in: url, range: urlRange) // $ Alert // BAD (missing anchor)
+	_ = try NSRegularExpression(pattern: #"https?:\/\/good.com\/([0-9]+)"#).matches(in: url, range: urlRange) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
 	_ = try NSRegularExpression(pattern: "https://verygood.com/?id=" + #"https?:\/\/good.com\/([0-9]+)"#).matches(in: url, range: urlRange)[0] // OK
 	_ = try NSRegularExpression(pattern: "http" + (secure ? "s" : "") + "://" + "verygood.com/?id=" + #"https?:\/\/good.com\/([0-9]+)"#).matches(in: url, range: urlRange)[0] // OK
 	_ = try NSRegularExpression(pattern: "verygood.com/?id=" + #"https?:\/\/good.com\/([0-9]+)"#).matches(in: url, range: urlRange)[0] // OK
 
 	_ = try NSRegularExpression(pattern: #"\.com|\.org"#).matches(in: input, range: inputRange) // OK, has no domain name
-	_ = try NSRegularExpression(pattern: #"example\.com|whatever"#).matches(in: input, range: inputRange) // $ Alert // OK, the other disjunction doesn't match a hostname [FALSE POSITIVE]
+	_ = try NSRegularExpression(pattern: #"example\.com|whatever"#).matches(in: input, range: inputRange) // $ Alert[swift/missing-regexp-anchor] // OK, the other disjunction doesn't match a hostname [FALSE POSITIVE]
 
 	// tests for the `isLineAnchoredHostnameRegExp` case
 
diff --git a/swift/ql/test/query-tests/Security/CWE-020/test.swift b/swift/ql/test/query-tests/Security/CWE-020/test.swift
index 4d545d361f6..321f5fcd56c 100644
--- a/swift/ql/test/query-tests/Security/CWE-020/test.swift
+++ b/swift/ql/test/query-tests/Security/CWE-020/test.swift
@@ -53,49 +53,49 @@ func testHostnames(myUrl: URL) throws {
 
 	_ = try Regex(#"^http://example\.com/"#).firstMatch(in: tainted) // GOOD
 	_ = try Regex(#"^http://example.com/"#).firstMatch(in: tainted) // GOOD (only '.' here gives a valid top-level domain)
-	_ = try Regex(#"^http://example.com"#).firstMatch(in: tainted) // $ Alert // BAD (missing anchor)
+	_ = try Regex(#"^http://example.com"#).firstMatch(in: tainted) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
 	_ = try Regex(#"^http://test\.example\.com/"#).firstMatch(in: tainted) // GOOD
 	_ = try Regex(#"^http://test\.example.com/"#).firstMatch(in: tainted) // GOOD (only '.' here gives a valid top-level domain)
-	_ = try Regex(#"^http://test\.example.com"#).firstMatch(in: tainted) // $ Alert // BAD (missing anchor)
-	_ = try Regex(#"^http://test.example.com/"#).firstMatch(in: tainted) // $ Alert // BAD (incomplete hostname)
+	_ = try Regex(#"^http://test\.example.com"#).firstMatch(in: tainted) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
+	_ = try Regex(#"^http://test.example.com/"#).firstMatch(in: tainted) // $ Alert[swift/incomplete-hostname-regexp] // BAD (incomplete hostname)
 	_ = try Regex(#"^http://test[.]example[.]com/"#).firstMatch(in: tainted) // GOOD (alternative method of escaping)
 
-	_ = try Regex(#"^http://test.example.net/"#).firstMatch(in: tainted) // $ Alert // BAD (incomplete hostname)
-	_ = try Regex(#"^http://test.(example-a|example-b).com/"#).firstMatch(in: tainted) // $ Alert // BAD (incomplete hostname)
-	_ = try Regex(#"^http://(.+).example.com/"#).firstMatch(in: tainted) // $ Alert // BAD (incomplete hostname x 2)
+	_ = try Regex(#"^http://test.example.net/"#).firstMatch(in: tainted) // $ Alert[swift/incomplete-hostname-regexp] // BAD (incomplete hostname)
+	_ = try Regex(#"^http://test.(example-a|example-b).com/"#).firstMatch(in: tainted) // $ Alert[swift/incomplete-hostname-regexp] // BAD (incomplete hostname)
+	_ = try Regex(#"^http://(.+).example.com/"#).firstMatch(in: tainted) // $ Alert[swift/incomplete-hostname-regexp] Alert[swift/incomplete-hostname-regexp] // BAD (incomplete hostname x 2)
 	_ = try Regex(#"^http://(\.+)\.example.com/"#).firstMatch(in: tainted) // GOOD
-	_ = try Regex(#"^http://(?:.+)\.test\.example.com/"#).firstMatch(in: tainted) // $ Alert // BAD (incomplete hostname)
-	_ = try Regex(#"^http://test.example.com/(?:.*)"#).firstMatch(in: tainted) // $ Alert // BAD (incomplete hostname)
-	_ = try Regex(#"^(.+\.(?:example-a|example-b)\.com)/"#).firstMatch(in: tainted) // $ Alert // BAD (missing anchor)
-	_ = try Regex(#"^(https?:)?//((service|www).)?example.com(?=$|/)"#).firstMatch(in: tainted) // $ Alert // BAD (incomplete hostname)
-	_ = try Regex(#"^(http|https)://www.example.com/p/f/"#).firstMatch(in: tainted) // $ Alert // BAD (incomplete hostname)
-	_ = try Regex(#"^(http://sub.example.com/)"#).firstMatch(in: tainted) // $ Alert // BAD (incomplete hostname)
-	_ = try Regex(#"^https?://api.example.com/"#).firstMatch(in: tainted) // $ Alert // BAD (incomplete hostname)
+	_ = try Regex(#"^http://(?:.+)\.test\.example.com/"#).firstMatch(in: tainted) // $ Alert[swift/incomplete-hostname-regexp] // BAD (incomplete hostname)
+	_ = try Regex(#"^http://test.example.com/(?:.*)"#).firstMatch(in: tainted) // $ Alert[swift/incomplete-hostname-regexp] // BAD (incomplete hostname)
+	_ = try Regex(#"^(.+\.(?:example-a|example-b)\.com)/"#).firstMatch(in: tainted) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
+	_ = try Regex(#"^(https?:)?//((service|www).)?example.com(?=$|/)"#).firstMatch(in: tainted) // $ Alert[swift/incomplete-hostname-regexp] // BAD (incomplete hostname)
+	_ = try Regex(#"^(http|https)://www.example.com/p/f/"#).firstMatch(in: tainted) // $ Alert[swift/incomplete-hostname-regexp] // BAD (incomplete hostname)
+	_ = try Regex(#"^(http://sub.example.com/)"#).firstMatch(in: tainted) // $ Alert[swift/incomplete-hostname-regexp] // BAD (incomplete hostname)
+	_ = try Regex(#"^https?://api.example.com/"#).firstMatch(in: tainted) // $ Alert[swift/incomplete-hostname-regexp] // BAD (incomplete hostname)
 	_ = try Regex(#"^http[s]?://?sub1\.sub2\.example\.com/f/(.+)"#).firstMatch(in: tainted) // GOOD (it has a capture group after the TLD, so should be ignored)
-	_ = try Regex(#"^https://[a-z]*.example.com$"#).firstMatch(in: tainted) // $ Alert // BAD (incomplete hostname)
-	_ = try Regex(#"^(example.dev|example.com)"#).firstMatch(in: tainted) // $ Alert // GOOD (any extended hostname wouldn't be included in the capture group) [FALSE POSITIVE]
-	_ = try Regex(#"^protos?://(localhost|.+.example.net|.+.example-a.com|.+.example-b.com|.+.example.internal)"#).firstMatch(in: tainted) // $ Alert // BAD (incomplete hostname x3, missing anchor x 1)
+	_ = try Regex(#"^https://[a-z]*.example.com$"#).firstMatch(in: tainted) // $ Alert[swift/incomplete-hostname-regexp] // BAD (incomplete hostname)
+	_ = try Regex(#"^(example.dev|example.com)"#).firstMatch(in: tainted) // $ Alert[swift/missing-regexp-anchor] // GOOD (any extended hostname wouldn't be included in the capture group) [FALSE POSITIVE]
+	_ = try Regex(#"^protos?://(localhost|.+.example.net|.+.example-a.com|.+.example-b.com|.+.example.internal)"#).firstMatch(in: tainted) // $ Alert[swift/incomplete-hostname-regexp] Alert[swift/incomplete-hostname-regexp] Alert[swift/incomplete-hostname-regexp] Alert[swift/missing-regexp-anchor] // BAD (incomplete hostname x3, missing anchor x 1)
 
 	_ = try Regex(#"^http://(..|...)\.example\.com/index\.html"#).firstMatch(in: tainted) // GOOD (wildcards are intentional)
 	_ = try Regex(#"^http://.\.example\.com/index\.html"#).firstMatch(in: tainted) // GOOD (the wildcard is intentional)
 	_ = try Regex(#"^(foo.example\.com|whatever)$"#).firstMatch(in: tainted) // $ Alert // DUBIOUS (one disjunction doesn't even look like a hostname) [DETECTED incomplete hostname, missing anchor]
 
-	_ = try Regex(#"^test.example.com$"#).firstMatch(in: tainted) // $ Alert // BAD (incomplete hostname)
+	_ = try Regex(#"^test.example.com$"#).firstMatch(in: tainted) // $ Alert[swift/incomplete-hostname-regexp] // BAD (incomplete hostname)
 	_ = try Regex(#"test.example.com"#).wholeMatch(in: tainted) // $ Alert // BAD (incomplete hostname, missing anchor)
 
-	_ = try Regex(id(id(id(#"test.example.com$"#)))).firstMatch(in: tainted) // $ Alert // BAD (incomplete hostname)
+	_ = try Regex(id(id(id(#"test.example.com$"#)))).firstMatch(in: tainted) // $ Alert[swift/incomplete-hostname-regexp] // BAD (incomplete hostname)
 
 	let hostname = #"test.example.com$"# // BAD (incomplete hostname) [NOT DETECTED]
 	_ = try Regex("\(hostname)").firstMatch(in: tainted)
 
 	var domain = MyDomain("")
-	domain.hostname = #"test.example.com$"# // $ Alert // BAD (incomplete hostname)
+	domain.hostname = #"test.example.com$"# // $ Alert[swift/incomplete-hostname-regexp] // BAD (incomplete hostname)
 	_ = try Regex(domain.hostname).firstMatch(in: tainted)
 
 	func convert1(_ domain: MyDomain) throws -> Regex<AnyRegexOutput> {
 		return try Regex(domain.hostname)
 	}
-	_ = try convert1(MyDomain(#"test.example.com$"#)).firstMatch(in: tainted) // $ Alert // BAD (incomplete hostname)
+	_ = try convert1(MyDomain(#"test.example.com$"#)).firstMatch(in: tainted) // $ Alert[swift/incomplete-hostname-regexp] // BAD (incomplete hostname)
 
 	let domains = [ MyDomain(#"test.example.com$"#) ]  // BAD (incomplete hostname) [NOT DETECTED]
 	func convert2(_ domain: MyDomain) throws -> Regex<AnyRegexOutput> {
diff --git a/swift/ql/test/query-tests/Security/CWE-311/SQLite.swift b/swift/ql/test/query-tests/Security/CWE-311/SQLite.swift
index f3fb7f0fe23..4b2f0923784 100644
--- a/swift/ql/test/query-tests/Security/CWE-311/SQLite.swift
+++ b/swift/ql/test/query-tests/Security/CWE-311/SQLite.swift
@@ -116,64 +116,64 @@ func ==<V>(lhs: Expression<V>, rhs: V) -> Expression<Bool> { return Expression<B
 func test_sqlite_swift_api(db: Connection, id: Int, mobilePhoneNumber: String) throws {
 	// --- sensitive data in SQL (in practice these cases may also be SQL injection) ---
 
-	let insertQuery = "INSERT INTO CONTACTS(ID, NUMBER) VALUES(\(id), \(mobilePhoneNumber));" // $ Source
-	let updateQuery = "UPDATE CONTACTS SET NUMBER=\(mobilePhoneNumber) WHERE ID=\(id);" // $ Source
+	let insertQuery = "INSERT INTO CONTACTS(ID, NUMBER) VALUES(\(id), \(mobilePhoneNumber));" // $ Source[swift/cleartext-storage-database]
+	let updateQuery = "UPDATE CONTACTS SET NUMBER=\(mobilePhoneNumber) WHERE ID=\(id);" // $ Source[swift/cleartext-storage-database]
 	let deleteQuery = "DELETE FROM CONTACTS WHERE ID=\(id);"
 
-	try db.execute(insertQuery) // $ Alert // BAD (sensitive data)
-	try db.execute(updateQuery) // $ Alert // BAD (sensitive data)
+	try db.execute(insertQuery) // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
+	try db.execute(updateQuery) // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
 	try db.execute(deleteQuery) // GOOD
 
-	_ = try db.prepare(insertQuery).run() // $ Alert // BAD (sensitive data)
-	_ = try db.prepare(updateQuery).run() // $ Alert // BAD (sensitive data)
+	_ = try db.prepare(insertQuery).run() // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
+	_ = try db.prepare(updateQuery).run() // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
 	_ = try db.prepare(deleteQuery).run() // GOOD
 
-	_ = try db.run(insertQuery) // $ Alert // BAD (sensitive data)
-	_ = try db.run(updateQuery) // $ Alert // BAD (sensitive data)
+	_ = try db.run(insertQuery) // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
+	_ = try db.run(updateQuery) // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
 	_ = try db.run(deleteQuery) // GOOD
 
-	_ = try db.scalar(insertQuery) // $ Alert // BAD (sensitive data)
-	_ = try db.scalar(updateQuery) // $ Alert // BAD (sensitive data)
+	_ = try db.scalar(insertQuery) // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
+	_ = try db.scalar(updateQuery) // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
 	_ = try db.scalar(deleteQuery) // GOOD
 
-	_ = try Statement(db, insertQuery).run() // $ Alert // BAD (sensitive data)
-	_ = try Statement(db, updateQuery).run() // $ Alert // BAD (sensitive data)
+	_ = try Statement(db, insertQuery).run() // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
+	_ = try Statement(db, updateQuery).run() // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
 	_ = try Statement(db, deleteQuery).run() // GOOD
 
 	// --- sensitive data in bindings ---
 
 	let varQuery1 = "UPDATE CONTACTS SET NUMBER=?;"
 
-	_ = try db.prepare(varQuery1, mobilePhoneNumber).run() // $ Alert // BAD (sensitive data)
-	_ = try db.run(varQuery1, mobilePhoneNumber) // $ Alert // BAD (sensitive data)
-	_ = try db.scalar(varQuery1, mobilePhoneNumber) // $ Alert // BAD (sensitive data)
+	_ = try db.prepare(varQuery1, mobilePhoneNumber).run() // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
+	_ = try db.run(varQuery1, mobilePhoneNumber) // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
+	_ = try db.scalar(varQuery1, mobilePhoneNumber) // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
 
 	let stmt1 = try db.prepare(varQuery1) // GOOD
-	_ = try stmt1.bind(mobilePhoneNumber).run() // $ Alert // BAD (sensitive data)
-	_ = try stmt1.run(mobilePhoneNumber) // $ Alert // BAD (sensitive data)
-	_ = try stmt1.scalar(mobilePhoneNumber) // $ Alert // BAD (sensitive data)
+	_ = try stmt1.bind(mobilePhoneNumber).run() // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
+	_ = try stmt1.run(mobilePhoneNumber) // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
+	_ = try stmt1.scalar(mobilePhoneNumber) // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
 
 	let varQuery2 = "UPDATE CONTACTS SET NUMBER=? WHERE ID=?;"
 
-	_ = try db.prepare(varQuery2, [mobilePhoneNumber, id]).run() // $ Alert // BAD (sensitive data)
-	_ = try db.run(varQuery2, [mobilePhoneNumber, id]) // $ Alert // BAD (sensitive data)
-	_ = try db.scalar(varQuery2, [mobilePhoneNumber, id]) // $ Alert // BAD (sensitive data)
+	_ = try db.prepare(varQuery2, [mobilePhoneNumber, id]).run() // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
+	_ = try db.run(varQuery2, [mobilePhoneNumber, id]) // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
+	_ = try db.scalar(varQuery2, [mobilePhoneNumber, id]) // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
 
 	let stmt2 = try db.prepare(varQuery2) // GOOD
-	_ = try stmt2.bind([mobilePhoneNumber, id]).run() // $ Alert // BAD (sensitive data)
-	_ = try stmt2.run([mobilePhoneNumber, id]) // $ Alert // BAD (sensitive data)
-	_ = try stmt2.scalar([mobilePhoneNumber, id]) // $ Alert // BAD (sensitive data)
+	_ = try stmt2.bind([mobilePhoneNumber, id]).run() // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
+	_ = try stmt2.run([mobilePhoneNumber, id]) // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
+	_ = try stmt2.scalar([mobilePhoneNumber, id]) // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
 
 	let varQuery3 = "UPDATE CONTACTS SET NUMBER=$number WHERE ID=$id;"
 
-	_ = try db.prepare(varQuery3, ["id": id, "number": mobilePhoneNumber]).run() // $ Alert // BAD (sensitive data)
-	_ = try db.run(varQuery3, ["id": id, "number": mobilePhoneNumber]) // $ Alert // BAD (sensitive data)
-	_ = try db.scalar(varQuery3, ["id": id, "number": mobilePhoneNumber]) // $ Alert // BAD (sensitive data)
+	_ = try db.prepare(varQuery3, ["id": id, "number": mobilePhoneNumber]).run() // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
+	_ = try db.run(varQuery3, ["id": id, "number": mobilePhoneNumber]) // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
+	_ = try db.scalar(varQuery3, ["id": id, "number": mobilePhoneNumber]) // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
 
 	let stmt3 = try db.prepare(varQuery3) // GOOD
-	_ = try stmt3.bind(["id": id, "number": mobilePhoneNumber]).run() // $ Alert // BAD (sensitive data)
-	_ = try stmt3.run(["id": id, "number": mobilePhoneNumber]) // $ Alert // BAD (sensitive data)
-	_ = try stmt3.scalar(["id": id, "number": mobilePhoneNumber]) // $ Alert // BAD (sensitive data)
+	_ = try stmt3.bind(["id": id, "number": mobilePhoneNumber]).run() // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
+	_ = try stmt3.run(["id": id, "number": mobilePhoneNumber]) // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
+	_ = try stmt3.scalar(["id": id, "number": mobilePhoneNumber]) // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
 
 	// --- higher level insert / update ---
 
@@ -183,20 +183,20 @@ func test_sqlite_swift_api(db: Connection, id: Int, mobilePhoneNumber: String) t
 	let filter = table.filter(idExpr == id) // GOOD
 
 	try db.run(table.insert(idExpr <- id, numberExpr <- "123")) // GOOD
-	try db.run(table.insert(idExpr <- id, numberExpr <- mobilePhoneNumber)) // $ Alert // BAD (sensitive data)
+	try db.run(table.insert(idExpr <- id, numberExpr <- mobilePhoneNumber)) // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
 
 	try db.run(table.update(numberExpr <- "123")) // GOOD
-	try db.run(table.update(numberExpr <- mobilePhoneNumber)) // $ Alert // BAD (sensitive data)
+	try db.run(table.update(numberExpr <- mobilePhoneNumber)) // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
 	try db.run(filter.update(numberExpr <- "123")) // GOOD
-	try db.run(filter.update(numberExpr <- mobilePhoneNumber)) // $ Alert // BAD (sensitive data)
+	try db.run(filter.update(numberExpr <- mobilePhoneNumber)) // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
 	try db.run(table.update(numberExpr <- numberExpr.replace("123", with: "456"))) // GOOD
-	try db.run(table.update(numberExpr <- numberExpr.replace("123", with: mobilePhoneNumber))) // $ Alert // BAD (sensitive data)
+	try db.run(table.update(numberExpr <- numberExpr.replace("123", with: mobilePhoneNumber))) // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
 	// (much more complex query construction is possible in SQLite.swift)
 
 	let goodMany = [[numberExpr <- "456"]]
-	let badMany = [[numberExpr <- mobilePhoneNumber]] // $ Source
+	let badMany = [[numberExpr <- mobilePhoneNumber]] // $ Source[swift/cleartext-storage-database]
 	try db.run(table.insertMany(goodMany)) // GOOD
-	try db.run(table.insertMany(badMany)) // $ Alert // BAD (sensitive data)
+	try db.run(table.insertMany(badMany)) // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
 	try db.run(table.insertMany(or: OnConflict.replace, goodMany)) // GOOD
-	try db.run(table.insertMany(or: OnConflict.replace, badMany)) // $ Alert // BAD (sensitive data)
+	try db.run(table.insertMany(or: OnConflict.replace, badMany)) // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
 }
diff --git a/swift/ql/test/query-tests/Security/CWE-311/sqlite3_c_api.swift b/swift/ql/test/query-tests/Security/CWE-311/sqlite3_c_api.swift
index 89e63c1aecd..55863e13e1f 100644
--- a/swift/ql/test/query-tests/Security/CWE-311/sqlite3_c_api.swift
+++ b/swift/ql/test/query-tests/Security/CWE-311/sqlite3_c_api.swift
@@ -39,12 +39,12 @@ func sqlite3_bind_text(
 func test_sqlite3_c_api(db: OpaquePointer?, id: Int32, medicalNotes: String) {
 	// --- sensitive data in SQL (in practice these cases may also be SQL injection) ---
 
-	let insertQuery = "INSERT INTO PATIENTS(ID, NOTES) VALUES(\(id), \(medicalNotes));" // $ Source
-	let updateQuery = "UPDATE PATIENTS SET NOTES=\(medicalNotes) WHERE ID=\(id);" // $ Source
+	let insertQuery = "INSERT INTO PATIENTS(ID, NOTES) VALUES(\(id), \(medicalNotes));" // $ Source[swift/cleartext-storage-database]
+	let updateQuery = "UPDATE PATIENTS SET NOTES=\(medicalNotes) WHERE ID=\(id);" // $ Source[swift/cleartext-storage-database]
 	let deleteQuery = "DELETE FROM PATIENTS WHERE ID=\(id);"
 
-	let _ = sqlite3_exec(db, insertQuery, nil, nil, nil) // $ Alert // BAD (sensitive data)
-	let _ = sqlite3_exec(db, updateQuery, nil, nil, nil) // $ Alert // BAD (sensitive data)
+	let _ = sqlite3_exec(db, insertQuery, nil, nil, nil) // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
+	let _ = sqlite3_exec(db, updateQuery, nil, nil, nil) // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
 	let _ = sqlite3_exec(db, deleteQuery, nil, nil, nil) // GOOD
 
 	// --- sensitive data in bindings ---
@@ -55,7 +55,7 @@ func test_sqlite3_c_api(db: OpaquePointer?, id: Int32, medicalNotes: String) {
 
 	if (sqlite3_prepare(db, varQuery, -1, &stmt1, nil) == SQLITE_OK) { // GOOD
 		if (sqlite3_bind_int(stmt1, 1, id) == SQLITE_OK) { // GOOD
-			if (sqlite3_bind_text(stmt1, 2, medicalNotes, -1, SQLITE_TRANSIENT) == SQLITE_OK) { // $ Alert // BAD (sensitive data)
+			if (sqlite3_bind_text(stmt1, 2, medicalNotes, -1, SQLITE_TRANSIENT) == SQLITE_OK) { // $ Alert[swift/cleartext-storage-database] // BAD (sensitive data)
 				// ...
 			}
 		}
diff --git a/swift/ql/test/query-tests/Security/CWE-311/testAlamofire.swift b/swift/ql/test/query-tests/Security/CWE-311/testAlamofire.swift
index 8ee3fccac9d..0bbb43d732c 100644
--- a/swift/ql/test/query-tests/Security/CWE-311/testAlamofire.swift
+++ b/swift/ql/test/query-tests/Security/CWE-311/testAlamofire.swift
@@ -147,11 +147,11 @@ struct MyEncodable: Encodable {
 func test1(username: String, password: String, email: String, harmless: String) {
 	// sensitive data in URL
 
-	AF.request("http://example.com/login?p=" + password) // $ Alert
+	AF.request("http://example.com/login?p=" + password) // $ Alert[swift/cleartext-transmission]
 	AF.request("http://example.com/login?h=" + harmless) // GOOD (not sensitive)
-	AF.streamRequest("http://example.com/login?p=" + password) // $ Alert
+	AF.streamRequest("http://example.com/login?p=" + password) // $ Alert[swift/cleartext-transmission]
 	AF.streamRequest("http://example.com/login?h=" + harmless) // GOOD (not sensitive)
-	AF.download("http://example.com/" + email + ".html") // $ Alert
+	AF.download("http://example.com/" + email + ".html") // $ Alert[swift/cleartext-transmission]
 	AF.download("http://example.com/" + harmless + ".html") // GOOD (not sensitive)
 
 	// sensitive data in parameters
diff --git a/swift/ql/test/query-tests/Security/CWE-311/testCoreData.swift b/swift/ql/test/query-tests/Security/CWE-311/testCoreData.swift
index d861eac57b1..50eac08b47c 100644
--- a/swift/ql/test/query-tests/Security/CWE-311/testCoreData.swift
+++ b/swift/ql/test/query-tests/Security/CWE-311/testCoreData.swift
@@ -16,7 +16,7 @@ class NSManagedObject : NSObject
 class MyManagedObject : NSManagedObject
 {
 	func setIndirect(value: String) {
-		setValue(value, forKey: "myKey") // $ Alert
+		setValue(value, forKey: "myKey") // $ Alert[swift/cleartext-storage-database]
 	}
 
 	var myValue: String {
@@ -29,7 +29,7 @@ class MyManagedObject : NSManagedObject
 			}
 		}
 		set {
-			setValue(newValue, forKey: "myKey") // $ Alert // [additional result reported here]
+			setValue(newValue, forKey: "myKey") // $ Alert[swift/cleartext-storage-database] // [additional result reported here]
 		}
 	}
 }
@@ -45,23 +45,23 @@ func doSomething(password: String) { }
 func test1(obj : NSManagedObject, password : String, password_hash : String) {
 	// NSManagedObject methods...
 
-	obj.setValue(password, forKey: "myKey") // $ Alert
+	obj.setValue(password, forKey: "myKey") // $ Alert[swift/cleartext-storage-database]
 	obj.setValue(password_hash, forKey: "myKey") // GOOD (not sensitive)
 
-	obj.setPrimitiveValue(password, forKey: "myKey") // $ Alert
+	obj.setPrimitiveValue(password, forKey: "myKey") // $ Alert[swift/cleartext-storage-database]
 	obj.setPrimitiveValue(password_hash, forKey: "myKey") // GOOD (not sensitive)
 }
 
 func test2(obj : MyManagedObject, password : String, password_file : String) {
 	// MyManagedObject methods...
 
-	obj.setValue(password, forKey: "myKey") // $ Alert
+	obj.setValue(password, forKey: "myKey") // $ Alert[swift/cleartext-storage-database]
 	obj.setValue(password_file, forKey: "myKey") // GOOD (not sensitive)
 
-	obj.setIndirect(value: password) // $ Source // BAD [reported on line 19]
+	obj.setIndirect(value: password) // $ Source[swift/cleartext-storage-database] // BAD [reported on line 19]
 	obj.setIndirect(value: password_file) // GOOD (not sensitive)
 
-	obj.myValue = password // $ Alert Source // BAD [also reported on line 32]
+	obj.myValue = password // $ Alert[swift/cleartext-storage-database] Source[swift/cleartext-storage-database] // BAD [also reported on line 32]
 	obj.myValue = password_file // GOOD (not sensitive)
 }
 
@@ -74,27 +74,27 @@ func test3(obj : NSManagedObject, x : String) {
 	// alternative evidence of sensitivity...
 
 	obj.setValue(x, forKey: "myKey") // BAD [NOT REPORTED]
-	doSomething(password: x); // $ Source
-	obj.setValue(x, forKey: "myKey") // $ Alert
+	doSomething(password: x); // $ Source[swift/cleartext-storage-database]
+	obj.setValue(x, forKey: "myKey") // $ Alert[swift/cleartext-storage-database]
 
-	let y = getPassword(); // $ Source
-	obj.setValue(y, forKey: "myKey") // $ Alert
+	let y = getPassword(); // $ Source[swift/cleartext-storage-database]
+	obj.setValue(y, forKey: "myKey") // $ Alert[swift/cleartext-storage-database]
 
 	let z = MyClass()
 	obj.setValue(z.harmless, forKey: "myKey") // GOOD (not sensitive)
-	obj.setValue(z.password, forKey: "myKey") // $ Alert
+	obj.setValue(z.password, forKey: "myKey") // $ Alert[swift/cleartext-storage-database]
 }
 
 func test4(obj : NSManagedObject, passwd : String) {
 	// sanitizers...
 
-	var x = passwd; // $ Source
-	var y = passwd; // $ Source
-	var z = passwd; // $ Source
+	var x = passwd; // $ Source[swift/cleartext-storage-database]
+	var y = passwd; // $ Source[swift/cleartext-storage-database]
+	var z = passwd; // $ Source[swift/cleartext-storage-database]
 
-	obj.setValue(x, forKey: "myKey") // $ Alert
-	obj.setValue(y, forKey: "myKey") // $ Alert
-	obj.setValue(z, forKey: "myKey") // $ Alert
+	obj.setValue(x, forKey: "myKey") // $ Alert[swift/cleartext-storage-database]
+	obj.setValue(y, forKey: "myKey") // $ Alert[swift/cleartext-storage-database]
+	obj.setValue(z, forKey: "myKey") // $ Alert[swift/cleartext-storage-database]
 
 	x = encrypt(x);
 	hash(data: &y);
@@ -125,8 +125,8 @@ func test5(obj : NSManagedObject) {
 	// more variants...
 
 	obj.setValue(createSecureKey(), forKey: "myKey") // BAD [NOT DETECTED]
-	obj.setValue(generateSecretKey(), forKey: "myKey") // $ Alert
-	obj.setValue(getCertificate(), forKey: "myKey") // $ Alert
+	obj.setValue(generateSecretKey(), forKey: "myKey") // $ Alert[swift/cleartext-storage-database]
+	obj.setValue(getCertificate(), forKey: "myKey") // $ Alert[swift/cleartext-storage-database]
 
 	let gen = KeyGen()
 	let v = gen.generate()
diff --git a/swift/ql/test/query-tests/Security/CWE-311/testCoreData2.swift b/swift/ql/test/query-tests/Security/CWE-311/testCoreData2.swift
index 1a55387ac3c..494f136d909 100644
--- a/swift/ql/test/query-tests/Security/CWE-311/testCoreData2.swift
+++ b/swift/ql/test/query-tests/Security/CWE-311/testCoreData2.swift
@@ -34,35 +34,35 @@ func testCoreData2_1(obj: MyManagedObject2, maybeObj: MyManagedObject2?, value:
 {
 	// @NSManaged fields of an NSManagedObject...
 	obj.myValue = value // GOOD (not sensitive)
-	obj.myValue = bankAccountNo // $ Alert
+	obj.myValue = bankAccountNo // $ Alert[swift/cleartext-storage-database]
 	obj.myBankAccountNumber = value // BAD [NOT DETECTED]
-	obj.myBankAccountNumber = bankAccountNo // $ Alert
+	obj.myBankAccountNumber = bankAccountNo // $ Alert[swift/cleartext-storage-database]
 	obj.myBankAccountNumber2 = value // BAD [NOT DETECTED]
-	obj.myBankAccountNumber2 = bankAccountNo // $ Alert
+	obj.myBankAccountNumber2 = bankAccountNo // $ Alert[swift/cleartext-storage-database]
 	obj.notStoredBankAccountNumber = value // GOOD (not stored in the database)
-	obj.notStoredBankAccountNumber = bankAccountNo // $ Alert // GOOD (not stored in the datbase) [FALSE POSITIVE]
+	obj.notStoredBankAccountNumber = bankAccountNo // $ Alert[swift/cleartext-storage-database] // GOOD (not stored in the datbase) [FALSE POSITIVE]
 
 	maybeObj?.myValue = value // GOOD (not sensitive)
-	maybeObj?.myValue = bankAccountNo // $ Alert
+	maybeObj?.myValue = bankAccountNo // $ Alert[swift/cleartext-storage-database]
 	maybeObj?.myBankAccountNumber = value // BAD [NOT DETECTED]
-	maybeObj?.myBankAccountNumber = bankAccountNo // $ Alert
+	maybeObj?.myBankAccountNumber = bankAccountNo // $ Alert[swift/cleartext-storage-database]
 	maybeObj?.myBankAccountNumber2 = value // BAD [NOT DETECTED]
-	maybeObj?.myBankAccountNumber2 = bankAccountNo // $ Alert
+	maybeObj?.myBankAccountNumber2 = bankAccountNo // $ Alert[swift/cleartext-storage-database]
 	maybeObj?.notStoredBankAccountNumber = value // GOOD (not stored in the database)
-	maybeObj?.notStoredBankAccountNumber = bankAccountNo // $ Alert // GOOD (not stored in the datbase) [FALSE POSITIVE]
+	maybeObj?.notStoredBankAccountNumber = bankAccountNo // $ Alert[swift/cleartext-storage-database] // GOOD (not stored in the datbase) [FALSE POSITIVE]
 }
 
 class testCoreData2_2 {
 	func myFunc(obj: MyManagedObject2, bankAccountNo: Int) {
-		obj.myBankAccountNumber = bankAccountNo // $ Alert
+		obj.myBankAccountNumber = bankAccountNo // $ Alert[swift/cleartext-storage-database]
 
 		if #available(iOS 10.0, *) {
-			obj.myBankAccountNumber = bankAccountNo // $ Alert
+			obj.myBankAccountNumber = bankAccountNo // $ Alert[swift/cleartext-storage-database]
 		} else {
-			obj.myBankAccountNumber = bankAccountNo // $ Alert
+			obj.myBankAccountNumber = bankAccountNo // $ Alert[swift/cleartext-storage-database]
 		}
 
-		obj.myBankAccountNumber = bankAccountNo // $ Alert
+		obj.myBankAccountNumber = bankAccountNo // $ Alert[swift/cleartext-storage-database]
 	}
 }
 
@@ -76,31 +76,31 @@ class MyContainer {
 func testCoreData2_3(dbObj: MyManagedObject2, maybeObj: MyManagedObject2?, container: MyContainer, bankAccountNo: MyContainer, bankAccountNo2: MyContainer!) {
 	dbObj.myValue = container.value // GOOD (not sensitive)
 	dbObj.myValue = container.value2 // GOOD (not sensitive)
-	dbObj.myValue = container.bankAccountNo // $ Alert
-	dbObj.myValue = container.bankAccountNo2 // $ Alert
+	dbObj.myValue = container.bankAccountNo // $ Alert[swift/cleartext-storage-database]
+	dbObj.myValue = container.bankAccountNo2 // $ Alert[swift/cleartext-storage-database]
 
-	dbObj.myValue = bankAccountNo.value // $ Alert
-	dbObj.myValue = bankAccountNo.value2 // $ Alert
-	dbObj.myValue = bankAccountNo2.value // $ Alert
-	dbObj.myValue = bankAccountNo2.value2 // $ Alert
+	dbObj.myValue = bankAccountNo.value // $ Alert[swift/cleartext-storage-database]
+	dbObj.myValue = bankAccountNo.value2 // $ Alert[swift/cleartext-storage-database]
+	dbObj.myValue = bankAccountNo2.value // $ Alert[swift/cleartext-storage-database]
+	dbObj.myValue = bankAccountNo2.value2 // $ Alert[swift/cleartext-storage-database]
 
-	maybeObj?.myValue = container.bankAccountNo // $ Alert
-	maybeObj?.myValue = bankAccountNo.value // $ Alert
-	maybeObj?.myValue = bankAccountNo2.value2 // $ Alert
+	maybeObj?.myValue = container.bankAccountNo // $ Alert[swift/cleartext-storage-database]
+	maybeObj?.myValue = bankAccountNo.value // $ Alert[swift/cleartext-storage-database]
+	maybeObj?.myValue = bankAccountNo2.value2 // $ Alert[swift/cleartext-storage-database]
 
-	var a = bankAccountNo // $ Source // sensitive
+	var a = bankAccountNo // $ Source[swift/cleartext-storage-database] // sensitive
 	var b = a.value
-	dbObj.myValue = b // $ Alert
+	dbObj.myValue = b // $ Alert[swift/cleartext-storage-database]
 
-	let c = bankAccountNo // $ Source // sensitive
+	let c = bankAccountNo // $ Source[swift/cleartext-storage-database] // sensitive
 	var d: MyContainer = MyContainer()
 	d.value = c.value
-	dbObj.myValue = d.value // $ Alert
+	dbObj.myValue = d.value // $ Alert[swift/cleartext-storage-database]
 	dbObj.myValue = d.value2 // GOOD
 
-	let e = bankAccountNo // $ Source // sensitive
+	let e = bankAccountNo // $ Source[swift/cleartext-storage-database] // sensitive
 	var f: MyContainer?
 	f?.value = e.value
-	dbObj.myValue = e.value // $ Alert
-	dbObj.myValue = e.value2 // $ Alert // GOOD [FALSE POSITIVE]
+	dbObj.myValue = e.value // $ Alert[swift/cleartext-storage-database]
+	dbObj.myValue = e.value2 // $ Alert[swift/cleartext-storage-database] // GOOD [FALSE POSITIVE]
 }
diff --git a/swift/ql/test/query-tests/Security/CWE-311/testGRDB.swift b/swift/ql/test/query-tests/Security/CWE-311/testGRDB.swift
index c803b3d0a0f..371d17b85fb 100644
--- a/swift/ql/test/query-tests/Security/CWE-311/testGRDB.swift
+++ b/swift/ql/test/query-tests/Security/CWE-311/testGRDB.swift
@@ -70,145 +70,145 @@ class CommonTableExpression {
 // --- tests ---
 
 func test(database: Database, password: String, harmless: String) {
-    let _ = database.allStatements(sql: "", arguments: [password]) // $ Alert
+    let _ = database.allStatements(sql: "", arguments: [password]) // $ Alert[swift/cleartext-storage-database]
     let _ = database.allStatements(sql: "", arguments: [harmless]) // GOOD
 
-    database.execute(sql: "", arguments: [password]) // $ Alert
+    database.execute(sql: "", arguments: [password]) // $ Alert[swift/cleartext-storage-database]
     database.execute(sql: "", arguments: [harmless]) // GOOD
 }
 
 func testSqlRequest(password: String, harmless: String) {
-    let _ = SQLRequest(sql: "", arguments: [password]) // $ Alert
+    let _ = SQLRequest(sql: "", arguments: [password]) // $ Alert[swift/cleartext-storage-database]
     let _ = SQLRequest(sql: "", arguments: [harmless]) // GOOD
-    let _ = SQLRequest(sql: "", arguments: [password], adapter: nil) // $ Alert
+    let _ = SQLRequest(sql: "", arguments: [password], adapter: nil) // $ Alert[swift/cleartext-storage-database]
     let _ = SQLRequest(sql: "", arguments: [harmless], adapter: nil) // GOOD
-    let _ = SQLRequest(sql: "", arguments: [password], cached: false) // $ Alert
+    let _ = SQLRequest(sql: "", arguments: [password], cached: false) // $ Alert[swift/cleartext-storage-database]
     let _ = SQLRequest(sql: "", arguments: [harmless], cached: false) // GOOD
-    let _ = SQLRequest(sql: "", arguments: [password], adapter: nil, cached: false) // $ Alert
+    let _ = SQLRequest(sql: "", arguments: [password], adapter: nil, cached: false) // $ Alert[swift/cleartext-storage-database]
     let _ = SQLRequest(sql: "", arguments: [harmless], adapter: nil, cached: false) // GOOD
 }
 
 func test(sql: SQL, password: String, harmless: String) {
-    let _ = SQL(sql: "", arguments: [password]) // $ Alert
+    let _ = SQL(sql: "", arguments: [password]) // $ Alert[swift/cleartext-storage-database]
     let _ = SQL(sql: "", arguments: [harmless]) // GOOD
     
-    sql.append(sql: "", arguments: [password]) // $ Alert
+    sql.append(sql: "", arguments: [password]) // $ Alert[swift/cleartext-storage-database]
     sql.append(sql: "", arguments: [harmless]) // GOOD
 }
 
 func testSqlStatementCursor(database: Database, password: String, harmless: String) {
-    let _ = SQLStatementCursor(database: database, sql: "", arguments: [password]) // $ Alert
-    let _ = SQLStatementCursor(database: database, sql: "", arguments: [password], prepFlags: 0) // $ Alert
+    let _ = SQLStatementCursor(database: database, sql: "", arguments: [password]) // $ Alert[swift/cleartext-storage-database]
+    let _ = SQLStatementCursor(database: database, sql: "", arguments: [password], prepFlags: 0) // $ Alert[swift/cleartext-storage-database]
     let _ = SQLStatementCursor(database: database, sql: "", arguments: [harmless]) // GOOD
     let _ = SQLStatementCursor(database: database, sql: "", arguments: [harmless], prepFlags: 0) // GOOD
 }
 
 func testTableRecord(password: String, harmless: String) {
-    let _ = TableRecord.select(sql: "", arguments: [password]) // $ Alert
+    let _ = TableRecord.select(sql: "", arguments: [password]) // $ Alert[swift/cleartext-storage-database]
     let _ = TableRecord.select(sql: "", arguments: [harmless]) // GOOD
-    let _ = TableRecord.filter(sql: "", arguments: [password]) // $ Alert
+    let _ = TableRecord.filter(sql: "", arguments: [password]) // $ Alert[swift/cleartext-storage-database]
     let _ = TableRecord.filter(sql: "", arguments: [harmless]) // GOOD
-    let _ = TableRecord.order(sql: "", arguments: [password]) // $ Alert
+    let _ = TableRecord.order(sql: "", arguments: [password]) // $ Alert[swift/cleartext-storage-database]
     let _ = TableRecord.order(sql: "", arguments: [harmless]) // GOOD
 }
 
 func test(row: Row, stmt: Statement, password: String, harmless: String) {
-    row.fetchCursor(stmt, sql: "", arguments: [password]) // $ Alert
+    row.fetchCursor(stmt, sql: "", arguments: [password]) // $ Alert[swift/cleartext-storage-database]
     row.fetchCursor(stmt, sql: "", arguments: [harmless]) // GOOD
-    row.fetchCursor(stmt, sql: "", arguments: [password], adapter: nil) // $ Alert
+    row.fetchCursor(stmt, sql: "", arguments: [password], adapter: nil) // $ Alert[swift/cleartext-storage-database]
     row.fetchCursor(stmt, sql: "", arguments: [harmless], adapter: nil) // GOOD
 
-    row.fetchAll(stmt, sql: "", arguments: [password]) // $ Alert
+    row.fetchAll(stmt, sql: "", arguments: [password]) // $ Alert[swift/cleartext-storage-database]
     row.fetchAll(stmt, sql: "", arguments: [harmless]) // GOOD
-    row.fetchAll(stmt, sql: "", arguments: [password], adapter: nil) // $ Alert
+    row.fetchAll(stmt, sql: "", arguments: [password], adapter: nil) // $ Alert[swift/cleartext-storage-database]
     row.fetchAll(stmt, sql: "", arguments: [harmless], adapter: nil) // GOOD
 
-    row.fetchSet(stmt, sql: "", arguments: [password]) // $ Alert
+    row.fetchSet(stmt, sql: "", arguments: [password]) // $ Alert[swift/cleartext-storage-database]
     row.fetchSet(stmt, sql: "", arguments: [harmless]) // GOOD
-    row.fetchSet(stmt, sql: "", arguments: [password], adapter: nil) // $ Alert
+    row.fetchSet(stmt, sql: "", arguments: [password], adapter: nil) // $ Alert[swift/cleartext-storage-database]
     row.fetchSet(stmt, sql: "", arguments: [harmless], adapter: nil) // GOOD
 
-    row.fetchOne(stmt, sql: "", arguments: [password]) // $ Alert
+    row.fetchOne(stmt, sql: "", arguments: [password]) // $ Alert[swift/cleartext-storage-database]
     row.fetchOne(stmt, sql: "", arguments: [harmless]) // GOOD
-    row.fetchOne(stmt, sql: "", arguments: [password], adapter: nil) // $ Alert
+    row.fetchOne(stmt, sql: "", arguments: [password], adapter: nil) // $ Alert[swift/cleartext-storage-database]
     row.fetchOne(stmt, sql: "", arguments: [harmless], adapter: nil) // GOOD
 }
 
 func test(databaseValueConvertible: DatabaseValueConvertible, stmt: Statement, password: String, harmless: String) {
-    databaseValueConvertible.fetchCursor(stmt, sql: "", arguments: [password]) // $ Alert
+    databaseValueConvertible.fetchCursor(stmt, sql: "", arguments: [password]) // $ Alert[swift/cleartext-storage-database]
     databaseValueConvertible.fetchCursor(stmt, sql: "", arguments: [harmless]) // GOOD
-    databaseValueConvertible.fetchCursor(stmt, sql: "", arguments: [password], adapter: nil) // $ Alert
+    databaseValueConvertible.fetchCursor(stmt, sql: "", arguments: [password], adapter: nil) // $ Alert[swift/cleartext-storage-database]
     databaseValueConvertible.fetchCursor(stmt, sql: "", arguments: [harmless], adapter: nil) // GOOD
 
-    databaseValueConvertible.fetchAll(stmt, sql: "", arguments: [password]) // $ Alert
+    databaseValueConvertible.fetchAll(stmt, sql: "", arguments: [password]) // $ Alert[swift/cleartext-storage-database]
     databaseValueConvertible.fetchAll(stmt, sql: "", arguments: [harmless]) // GOOD
-    databaseValueConvertible.fetchAll(stmt, sql: "", arguments: [password], adapter: nil) // $ Alert
+    databaseValueConvertible.fetchAll(stmt, sql: "", arguments: [password], adapter: nil) // $ Alert[swift/cleartext-storage-database]
     databaseValueConvertible.fetchAll(stmt, sql: "", arguments: [harmless], adapter: nil) // GOOD
 
-    databaseValueConvertible.fetchSet(stmt, sql: "", arguments: [password]) // $ Alert
+    databaseValueConvertible.fetchSet(stmt, sql: "", arguments: [password]) // $ Alert[swift/cleartext-storage-database]
     databaseValueConvertible.fetchSet(stmt, sql: "", arguments: [harmless]) // GOOD
-    databaseValueConvertible.fetchSet(stmt, sql: "", arguments: [password], adapter: nil) // $ Alert
+    databaseValueConvertible.fetchSet(stmt, sql: "", arguments: [password], adapter: nil) // $ Alert[swift/cleartext-storage-database]
     databaseValueConvertible.fetchSet(stmt, sql: "", arguments: [harmless], adapter: nil) // GOOD
 
-    databaseValueConvertible.fetchOne(stmt, sql: "", arguments: [password]) // $ Alert
+    databaseValueConvertible.fetchOne(stmt, sql: "", arguments: [password]) // $ Alert[swift/cleartext-storage-database]
     databaseValueConvertible.fetchOne(stmt, sql: "", arguments: [harmless]) // GOOD
-    databaseValueConvertible.fetchOne(stmt, sql: "", arguments: [password], adapter: nil) // $ Alert
+    databaseValueConvertible.fetchOne(stmt, sql: "", arguments: [password], adapter: nil) // $ Alert[swift/cleartext-storage-database]
     databaseValueConvertible.fetchOne(stmt, sql: "", arguments: [harmless], adapter: nil) // GOOD
 }
 
 func test(fetchableRecord: FetchableRecord, stmt: Statement, password: String, harmless: String) {
-    fetchableRecord.fetchCursor(stmt, sql: "", arguments: [password]) // $ Alert
-    fetchableRecord.fetchCursor(stmt, arguments: [password]) // $ Alert
+    fetchableRecord.fetchCursor(stmt, sql: "", arguments: [password]) // $ Alert[swift/cleartext-storage-database]
+    fetchableRecord.fetchCursor(stmt, arguments: [password]) // $ Alert[swift/cleartext-storage-database]
     fetchableRecord.fetchCursor(stmt, sql: "", arguments: [harmless]) // GOOD
     fetchableRecord.fetchCursor(stmt, arguments: [harmless]) // GOOD
-    fetchableRecord.fetchCursor(stmt, sql: "", arguments: [password], adapter: nil) // $ Alert
-    fetchableRecord.fetchCursor(stmt, arguments: [password], adapter: nil) // $ Alert
+    fetchableRecord.fetchCursor(stmt, sql: "", arguments: [password], adapter: nil) // $ Alert[swift/cleartext-storage-database]
+    fetchableRecord.fetchCursor(stmt, arguments: [password], adapter: nil) // $ Alert[swift/cleartext-storage-database]
     fetchableRecord.fetchCursor(stmt, sql: "", arguments: [harmless], adapter: nil) // GOOD
     fetchableRecord.fetchCursor(stmt, arguments: [harmless], adapter: nil) // GOOD
 
-    fetchableRecord.fetchAll(stmt, sql: "", arguments: [password]) // $ Alert
-    fetchableRecord.fetchAll(stmt, arguments: [password]) // $ Alert
+    fetchableRecord.fetchAll(stmt, sql: "", arguments: [password]) // $ Alert[swift/cleartext-storage-database]
+    fetchableRecord.fetchAll(stmt, arguments: [password]) // $ Alert[swift/cleartext-storage-database]
     fetchableRecord.fetchAll(stmt, sql: "", arguments: [harmless]) // GOOD
     fetchableRecord.fetchAll(stmt, arguments: [harmless]) // GOOD
-    fetchableRecord.fetchAll(stmt, sql: "", arguments: [password], adapter: nil) // $ Alert
-    fetchableRecord.fetchAll(stmt, arguments: [password], adapter: nil) // $ Alert
+    fetchableRecord.fetchAll(stmt, sql: "", arguments: [password], adapter: nil) // $ Alert[swift/cleartext-storage-database]
+    fetchableRecord.fetchAll(stmt, arguments: [password], adapter: nil) // $ Alert[swift/cleartext-storage-database]
     fetchableRecord.fetchAll(stmt, sql: "", arguments: [harmless], adapter: nil) // GOOD
     fetchableRecord.fetchAll(stmt, arguments: [harmless], adapter: nil) // GOOD
 
-    fetchableRecord.fetchSet(stmt, sql: "", arguments: [password]) // $ Alert
-    fetchableRecord.fetchSet(stmt, arguments: [password]) // $ Alert
+    fetchableRecord.fetchSet(stmt, sql: "", arguments: [password]) // $ Alert[swift/cleartext-storage-database]
+    fetchableRecord.fetchSet(stmt, arguments: [password]) // $ Alert[swift/cleartext-storage-database]
     fetchableRecord.fetchSet(stmt, sql: "", arguments: [harmless]) // GOOD
     fetchableRecord.fetchSet(stmt, arguments: [harmless]) // GOOD
-    fetchableRecord.fetchSet(stmt, sql: "", arguments: [password], adapter: nil) // $ Alert
-    fetchableRecord.fetchSet(stmt, arguments: [password], adapter: nil) // $ Alert
+    fetchableRecord.fetchSet(stmt, sql: "", arguments: [password], adapter: nil) // $ Alert[swift/cleartext-storage-database]
+    fetchableRecord.fetchSet(stmt, arguments: [password], adapter: nil) // $ Alert[swift/cleartext-storage-database]
     fetchableRecord.fetchSet(stmt, sql: "", arguments: [harmless], adapter: nil) // GOOD
     fetchableRecord.fetchSet(stmt, arguments: [harmless], adapter: nil) // GOOD
 
-    fetchableRecord.fetchOne(stmt, sql: "", arguments: [password]) // $ Alert
-    fetchableRecord.fetchOne(stmt, arguments: [password]) // $ Alert
+    fetchableRecord.fetchOne(stmt, sql: "", arguments: [password]) // $ Alert[swift/cleartext-storage-database]
+    fetchableRecord.fetchOne(stmt, arguments: [password]) // $ Alert[swift/cleartext-storage-database]
     fetchableRecord.fetchOne(stmt, sql: "", arguments: [harmless]) // GOOD
     fetchableRecord.fetchOne(stmt, arguments: [harmless]) // GOOD
-    fetchableRecord.fetchOne(stmt, sql: "", arguments: [password], adapter: nil) // $ Alert
-    fetchableRecord.fetchOne(stmt, arguments: [password], adapter: nil) // $ Alert
+    fetchableRecord.fetchOne(stmt, sql: "", arguments: [password], adapter: nil) // $ Alert[swift/cleartext-storage-database]
+    fetchableRecord.fetchOne(stmt, arguments: [password], adapter: nil) // $ Alert[swift/cleartext-storage-database]
     fetchableRecord.fetchOne(stmt, sql: "", arguments: [harmless], adapter: nil) // GOOD
     fetchableRecord.fetchOne(stmt, arguments: [harmless], adapter: nil) // GOOD
 }
 
 func test(stmt: Statement, password: String, harmless: String) {
-    stmt.execute(arguments: [password]) // $ Alert
+    stmt.execute(arguments: [password]) // $ Alert[swift/cleartext-storage-database]
     stmt.execute(arguments: [harmless]) // GOOD
 
-    stmt.setArguments([password]) // $ Alert
+    stmt.setArguments([password]) // $ Alert[swift/cleartext-storage-database]
     stmt.setArguments([harmless]) // GOOD
 }
 
 func testCommonTableExpression(password: String, harmless: String) {
-    let _ = CommonTableExpression(named: "", sql: "", arguments: [password]) // $ Alert
+    let _ = CommonTableExpression(named: "", sql: "", arguments: [password]) // $ Alert[swift/cleartext-storage-database]
     let _ = CommonTableExpression(named: "", sql: "", arguments: [harmless]) // GOOD
-    let _ = CommonTableExpression(named: "", columns: nil, sql: "", arguments: [password]) // $ Alert
+    let _ = CommonTableExpression(named: "", columns: nil, sql: "", arguments: [password]) // $ Alert[swift/cleartext-storage-database]
     let _ = CommonTableExpression(named: "", columns: nil, sql: "", arguments: [harmless]) // GOOD
-    let _ = CommonTableExpression(recursive: false, named: "", sql: "", arguments: [password]) // $ Alert
+    let _ = CommonTableExpression(recursive: false, named: "", sql: "", arguments: [password]) // $ Alert[swift/cleartext-storage-database]
     let _ = CommonTableExpression(recursive: false, named: "", sql: "", arguments: [harmless]) // GOOD
-    let _ = CommonTableExpression(recursive: false, named: "", columns: nil, sql: "", arguments: [password]) // $ Alert
+    let _ = CommonTableExpression(recursive: false, named: "", columns: nil, sql: "", arguments: [password]) // $ Alert[swift/cleartext-storage-database]
     let _ = CommonTableExpression(recursive: false, named: "", columns: nil, sql: "", arguments: [harmless]) // GOOD
 }
diff --git a/swift/ql/test/query-tests/Security/CWE-311/testRealm.swift b/swift/ql/test/query-tests/Security/CWE-311/testRealm.swift
index cb52933a92f..9cff8e6891d 100644
--- a/swift/ql/test/query-tests/Security/CWE-311/testRealm.swift
+++ b/swift/ql/test/query-tests/Security/CWE-311/testRealm.swift
@@ -38,7 +38,7 @@ func test1(realm : Realm, myHarmless: String, myPassword : String, myHashedPassw
 	// add objects (within a transaction) ...
 
 	let a = MyRealmSwiftObject()
-	a.data = myPassword // $ Alert
+	a.data = myPassword // $ Alert[swift/cleartext-storage-database]
 	realm.add(a)
 
 	let b = MyRealmSwiftObject()
@@ -46,7 +46,7 @@ func test1(realm : Realm, myHarmless: String, myPassword : String, myHashedPassw
 	realm.add(b) // GOOD (not sensitive)
 
 	let c = MyRealmSwiftObject()
-	c.data = myPassword // $ Alert
+	c.data = myPassword // $ Alert[swift/cleartext-storage-database]
 	realm.create(MyRealmSwiftObject.self, value: c)
 
 	let d = MyRealmSwiftObject()
@@ -56,21 +56,21 @@ func test1(realm : Realm, myHarmless: String, myPassword : String, myHashedPassw
 	// retrieve objects ...
 
 	var e = realm.object(ofType: MyRealmSwiftObject.self, forPrimaryKey: "key")
-	e!.data = myPassword // $ Alert
+	e!.data = myPassword // $ Alert[swift/cleartext-storage-database]
 
 	var f = realm.object(ofType: MyRealmSwiftObject.self, forPrimaryKey: "key")
 	f!.data = myHashedPassword // GOOD (not sensitive)
 
 	let g = MyRealmSwiftObject()
 	g.data = "" // GOOD (not sensitive)
-	g.data = myPassword // $ Alert
+	g.data = myPassword // $ Alert[swift/cleartext-storage-database]
 	g.data = "" // GOOD (not sensitive)
 
 	// MyRealmSwiftObject2...
 
 	let h = MyRealmSwiftObject2()
 	h.harmless = myHarmless // GOOD (not sensitive)
-	h.password = myPassword // $ Alert
+	h.password = myPassword // $ Alert[swift/cleartext-storage-database]
 	realm.add(h)
 }
 
diff --git a/swift/ql/test/query-tests/Security/CWE-311/testRealm2.swift b/swift/ql/test/query-tests/Security/CWE-311/testRealm2.swift
index 871188fb60a..6374467750f 100644
--- a/swift/ql/test/query-tests/Security/CWE-311/testRealm2.swift
+++ b/swift/ql/test/query-tests/Security/CWE-311/testRealm2.swift
@@ -15,23 +15,23 @@ class MyRealmSwiftObject3 : Object {
 
 func test1(o: MyRealmSwiftObject3, myHarmless: String, myPassword: String) {
 	// ...
-	o.data = myPassword // $ Alert
+	o.data = myPassword // $ Alert[swift/cleartext-storage-database]
 	o.data = myHarmless
 	// ...
 }
 
 func test2(o: MyRealmSwiftObject3, ccn: String, socialSecurityNumber: String, ssn: String, ssn_int: Int, userSSN: String, classno: String) {
-	o.data = socialSecurityNumber // $ Alert
-	o.data = ssn // $ Alert
-	o.data = String(ssn_int) // $ Alert
+	o.data = socialSecurityNumber // $ Alert[swift/cleartext-storage-database]
+	o.data = ssn // $ Alert[swift/cleartext-storage-database]
+	o.data = String(ssn_int) // $ Alert[swift/cleartext-storage-database]
 	o.data = userSSN // BAD [NOT DETECTED]
 	o.data = classno // GOOD
 }
 
 func test3(o: MyRealmSwiftObject3, ccn: String, creditCardNumber: String, CCN: String, int_ccn: Int, userCcn: String, succnode: String) {
-	o.data = creditCardNumber // $ Alert
-	o.data = CCN // $ Alert
-	o.data = String(int_ccn) // $ Alert
+	o.data = creditCardNumber // $ Alert[swift/cleartext-storage-database]
+	o.data = CCN // $ Alert[swift/cleartext-storage-database]
+	o.data = String(int_ccn) // $ Alert[swift/cleartext-storage-database]
 	o.data = userCcn // BAD [NOT DETECTED]
 	o.data = succnode // GOOD
 }
diff --git a/swift/ql/test/query-tests/Security/CWE-311/testSend.swift b/swift/ql/test/query-tests/Security/CWE-311/testSend.swift
index 052b6e5215b..f1a404a19ae 100644
--- a/swift/ql/test/query-tests/Security/CWE-311/testSend.swift
+++ b/swift/ql/test/query-tests/Security/CWE-311/testSend.swift
@@ -26,15 +26,15 @@ func test1(passwordPlain : String, passwordHash : String) {
 	// ...
 
 	nw.send(content: "123456", completion: .idempotent) // GOOD (not sensitive)
-	nw.send(content: passwordPlain, completion: .idempotent) // $ Alert
+	nw.send(content: passwordPlain, completion: .idempotent) // $ Alert[swift/cleartext-transmission]
 	nw.send(content: passwordHash, completion: .idempotent) // GOOD (not sensitive)
 
 	let data1 = Data("123456")
-	let data2 = Data(passwordPlain) // $ Source
+	let data2 = Data(passwordPlain) // $ Source[swift/cleartext-transmission]
 	let data3 = Data(passwordHash)
 
 	nw.send(content: data1, completion: .idempotent) // GOOD (not sensitive)
-	nw.send(content: data2, completion: .idempotent) // $ Alert
+	nw.send(content: data2, completion: .idempotent) // $ Alert[swift/cleartext-transmission]
 	nw.send(content: data3, completion: .idempotent) // GOOD (not sensitive)
 }
 
@@ -55,30 +55,30 @@ struct MyStruct {
 }
 
 func test2(password : String, license_key: String, ms: MyStruct, connection : NWConnection) {
-	let str1 = password // $ Source
-	let str2 = password + " " // $ Source
-	let str3 = pad(password) // $ Source
+	let str1 = password // $ Source[swift/cleartext-transmission]
+	let str2 = password + " " // $ Source[swift/cleartext-transmission]
+	let str3 = pad(password) // $ Source[swift/cleartext-transmission]
 	let str4 = aes_crypt(password)
 	let str5 = pad(aes_crypt(password))
 	let str6 = aes_crypt(pad(password))
 
-	connection.send(content: str1, completion: .idempotent) // $ Alert
-	connection.send(content: str2, completion: .idempotent) // $ Alert
-	connection.send(content: str3, completion: .idempotent) // $ Alert
+	connection.send(content: str1, completion: .idempotent) // $ Alert[swift/cleartext-transmission]
+	connection.send(content: str2, completion: .idempotent) // $ Alert[swift/cleartext-transmission]
+	connection.send(content: str3, completion: .idempotent) // $ Alert[swift/cleartext-transmission]
 	connection.send(content: str4, completion: .idempotent) // GOOD (encrypted)
 	connection.send(content: str5, completion: .idempotent) // GOOD (encrypted)
 	connection.send(content: str6, completion: .idempotent) // GOOD (encrypted)
-	connection.send(content: license_key, completion: .idempotent) // $ Alert
-	connection.send(content: ms.mobileNumber, completion: .idempotent) // $ Alert
+	connection.send(content: license_key, completion: .idempotent) // $ Alert[swift/cleartext-transmission]
+	connection.send(content: ms.mobileNumber, completion: .idempotent) // $ Alert[swift/cleartext-transmission]
 	connection.send(content: ms.mobileUrl, completion: .idempotent) // GOOD (not sensitive)
 	connection.send(content: ms.mobilePlayer, completion: .idempotent) // GOOD (not sensitive)
 	connection.send(content: ms.passwordFeatureEnabled, completion: .idempotent) // GOOD (not sensitive)
-	connection.send(content: ms.Telephone, completion: .idempotent) // $ Alert
-	connection.send(content: ms.birth_day, completion: .idempotent) // $ Alert
-	connection.send(content: ms.CarePlanID, completion: .idempotent) // $ Alert
-	connection.send(content: ms.BankCardNo, completion: .idempotent) // $ Alert
-	connection.send(content: ms.MyCreditRating, completion: .idempotent) // $ Alert
-	connection.send(content: ms.OneTimeCode, completion: .idempotent) // $ Alert
+	connection.send(content: ms.Telephone, completion: .idempotent) // $ Alert[swift/cleartext-transmission]
+	connection.send(content: ms.birth_day, completion: .idempotent) // $ Alert[swift/cleartext-transmission]
+	connection.send(content: ms.CarePlanID, completion: .idempotent) // $ Alert[swift/cleartext-transmission]
+	connection.send(content: ms.BankCardNo, completion: .idempotent) // $ Alert[swift/cleartext-transmission]
+	connection.send(content: ms.MyCreditRating, completion: .idempotent) // $ Alert[swift/cleartext-transmission]
+	connection.send(content: ms.OneTimeCode, completion: .idempotent) // $ Alert[swift/cleartext-transmission]
 }
 
 struct MyOuter {
@@ -91,6 +91,6 @@ struct MyOuter {
 }
 
 func test3(mo : MyOuter, connection : NWConnection) {
-	connection.send(content: mo.password.value, completion: .idempotent) // $ Alert
+	connection.send(content: mo.password.value, completion: .idempotent) // $ Alert[swift/cleartext-transmission]
 	connection.send(content: mo.harmless.value, completion: .idempotent) // GOOD
 }
diff --git a/swift/ql/test/query-tests/Security/CWE-311/testURL.swift b/swift/ql/test/query-tests/Security/CWE-311/testURL.swift
index f76dff4dc31..d77d3a4e5db 100644
--- a/swift/ql/test/query-tests/Security/CWE-311/testURL.swift
+++ b/swift/ql/test/query-tests/Security/CWE-311/testURL.swift
@@ -36,22 +36,22 @@ func setMyString(str: String) { myString = str }
 func getMyString() -> String { return myString }
 
 func test1(passwd : String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
-	_ = URL(string: "http://example.com/login?p=" + passwd); // $ Alert
+	_ = URL(string: "http://example.com/login?p=" + passwd); // $ Alert[swift/cleartext-transmission]
 	_ = URL(string: "http://example.com/login?p=" + encrypted_passwd); // GOOD (not sensitive)
-	_ = URL(string: "http://example.com/login?ac=" + account_no); // $ Alert
-	_ = URL(string: "http://example.com/login?cc=" + credit_card_no); // $ Alert
+	_ = URL(string: "http://example.com/login?ac=" + account_no); // $ Alert[swift/cleartext-transmission]
+	_ = URL(string: "http://example.com/login?cc=" + credit_card_no); // $ Alert[swift/cleartext-transmission]
 
 	let base = URL(string: "http://example.com/"); // GOOD (not sensitive)
 	_ = URL(string: "abc", relativeTo: base); // GOOD (not sensitive)
-	let f = URL(string: passwd, relativeTo: base); // $ Alert
+	let f = URL(string: passwd, relativeTo: base); // $ Alert[swift/cleartext-transmission]
 	_ = URL(string: "abc", relativeTo: f); // BAD (reported on line above)
 
 	let e_mail = myString
-	_ = URL(string: "http://example.com/login?em=" + e_mail); // $ Alert
+	_ = URL(string: "http://example.com/login?em=" + e_mail); // $ Alert[swift/cleartext-transmission]
 	let a_homeaddr_z = getMyString()
-	_ = URL(string: "http://example.com/login?home=" + a_homeaddr_z); // $ Alert
+	_ = URL(string: "http://example.com/login?home=" + a_homeaddr_z); // $ Alert[swift/cleartext-transmission]
 	let resident_ID = getMyString()
-	_ = URL(string: "http://example.com/login?id=" + resident_ID); // $ Alert
+	_ = URL(string: "http://example.com/login?id=" + resident_ID); // $ Alert[swift/cleartext-transmission]
 }
 
 func get_private_key() -> String { return "" }
@@ -70,9 +70,9 @@ func test2() {
 	_ = URL(string: "http://example.com/login?key=" + get_aes_key()); // BAD [NOT DETECTED]
 	_ = URL(string: "http://example.com/login?key=" + get_aws_key()); // BAD [NOT DETECTED]
 	_ = URL(string: "http://example.com/login?key=" + get_access_key()); // BAD [NOT DETECTED]
-	_ = URL(string: "http://example.com/login?key=" + get_secret_key()); // $ Alert
+	_ = URL(string: "http://example.com/login?key=" + get_secret_key()); // $ Alert[swift/cleartext-transmission]
 	_ = URL(string: "http://example.com/login?key=" + get_key_press()); // GOOD (not sensitive)
-	_ = URL(string: "http://example.com/login?cert=" + get_cert_string()); // $ Alert
+	_ = URL(string: "http://example.com/login?cert=" + get_cert_string()); // $ Alert[swift/cleartext-transmission]
 	_ = URL(string: "http://example.com/login?certain=" + get_certain()); // GOOD (not sensitive)
 }
 
@@ -93,7 +93,7 @@ func test3() {
 	_ = URL(string: "http://example.com/login?key=\(priv_key)"); // BAD [NOT DETECTED]
 	_ = URL(string: "http://example.com/login?key=\(private_key)"); // BAD [NOT DETECTED]
 	_ = URL(string: "http://example.com/login?key=\(pub_key)"); // GOOD (not sensitive)
-	_ = URL(string: "http://example.com/login?cert=\(certificate)"); // $ Alert
+	_ = URL(string: "http://example.com/login?cert=\(certificate)"); // $ Alert[swift/cleartext-transmission]
 	_ = URL(string: "http://example.com/login?tok=\(secure_token)"); // BAD [NOT DETECTED]
 	_ = URL(string: "http://example.com/login?tok=\(access_token)"); // BAD [NOT DETECTED]
 	_ = URL(string: "http://example.com/login?tok=\(auth_token)"); // BAD [NOT DETECTED]
@@ -101,9 +101,9 @@ func test3() {
 }
 
 func test4(key: SecKey) {
-	if let data = SecKeyCopyExternalRepresentation(key, nil) as? Data { // $ Source
+	if let data = SecKeyCopyExternalRepresentation(key, nil) as? Data { // $ Source[swift/cleartext-transmission]
 		if let string = String(data: data, encoding: .utf8) {
-			_ = URL(string: "http://example.com/login?tok=\(string)"); // $ Alert
+			_ = URL(string: "http://example.com/login?tok=\(string)"); // $ Alert[swift/cleartext-transmission]
 		}
 	}
 }
@@ -113,14 +113,14 @@ func test5() {
 	let email = get_string()
 	let secret_key = get_string()
 
-	_ = URL(string: "http://example.com/login?email=\(email)"); // $ Alert
+	_ = URL(string: "http://example.com/login?email=\(email)"); // $ Alert[swift/cleartext-transmission]
 	_ = URL(string: "mailto:\(email)"); // GOOD (revealing your e-amil address in an e-mail is expected)
 	_ = URL(string: "mailto:info@example.com?subject=\(secret_key)"); // BAD [NOT DETECTED]
 	_ = URL(string: "mailto:info@example.com?subject=foo&cc=\(email)"); // GOOD
 
 	let phone_number = get_string()
 
-	_ = URL(string: "http://example.com/profile?tel=\(phone_number)"); // $ Alert
+	_ = URL(string: "http://example.com/profile?tel=\(phone_number)"); // $ Alert[swift/cleartext-transmission]
 	_ = URL(string: "tel:\(phone_number)") // GOOD
 	_ = URL(string: "telprompt:\(phone_number)") // GOOD
 	_ = URL(string: "callto:\(phone_number)") // GOOD
@@ -129,5 +129,5 @@ func test5() {
 	let account_no = get_string()
 
 	_ = URL(string: "file:///foo/bar/\(account_no).csv") // GOOD (local, so not transmitted)
-	_ = URL(string: "ftp://example.com/\(account_no).csv") // $ Alert
+	_ = URL(string: "ftp://example.com/\(account_no).csv") // $ Alert[swift/cleartext-transmission]
 }
diff --git a/swift/ql/test/query-tests/Security/CWE-328/testCryptoKit.swift b/swift/ql/test/query-tests/Security/CWE-328/testCryptoKit.swift
index 1b1f34efca1..2f08fb62d90 100644
--- a/swift/ql/test/query-tests/Security/CWE-328/testCryptoKit.swift
+++ b/swift/ql/test/query-tests/Security/CWE-328/testCryptoKit.swift
@@ -81,43 +81,43 @@ enum Insecure {
 // --- tests ---
 
 func testHashMethods(passwd : UnsafeRawBufferPointer, cert: String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
-    var hash = Crypto.Insecure.MD5.hash(data: passwd) // $ Alert
-    hash = Crypto.Insecure.MD5.hash(bufferPointer: passwd) // $ Alert
-    hash = Crypto.Insecure.MD5.hash(data: cert) // $ Alert
+    var hash = Crypto.Insecure.MD5.hash(data: passwd) // $ Alert[swift/weak-password-hashing]
+    hash = Crypto.Insecure.MD5.hash(bufferPointer: passwd) // $ Alert[swift/weak-password-hashing]
+    hash = Crypto.Insecure.MD5.hash(data: cert) // $ Alert[swift/weak-sensitive-data-hashing]
     hash = Crypto.Insecure.MD5.hash(data: encrypted_passwd)  // GOOD  (not sensitive)
-    hash = Crypto.Insecure.MD5.hash(data: account_no) // $ Alert
-    hash = Crypto.Insecure.MD5.hash(data: credit_card_no) // $ Alert
+    hash = Crypto.Insecure.MD5.hash(data: account_no) // $ Alert[swift/weak-sensitive-data-hashing]
+    hash = Crypto.Insecure.MD5.hash(data: credit_card_no) // $ Alert[swift/weak-sensitive-data-hashing]
 
-    hash = Insecure.MD5.hash(data: passwd) // $ Alert
-    hash = Insecure.MD5.hash(bufferPointer: passwd) // $ Alert
-    hash = Insecure.MD5.hash(data: cert) // $ Alert
+    hash = Insecure.MD5.hash(data: passwd) // $ Alert[swift/weak-password-hashing]
+    hash = Insecure.MD5.hash(bufferPointer: passwd) // $ Alert[swift/weak-password-hashing]
+    hash = Insecure.MD5.hash(data: cert) // $ Alert[swift/weak-sensitive-data-hashing]
     hash = Insecure.MD5.hash(data: encrypted_passwd)  // GOOD  (not sensitive)
-    hash = Insecure.MD5.hash(data: account_no) // $ Alert
-    hash = Insecure.MD5.hash(data: credit_card_no) // $ Alert
+    hash = Insecure.MD5.hash(data: account_no) // $ Alert[swift/weak-sensitive-data-hashing]
+    hash = Insecure.MD5.hash(data: credit_card_no) // $ Alert[swift/weak-sensitive-data-hashing]
 
-    hash = Crypto.Insecure.SHA1.hash(data: passwd) // $ Alert
-    hash = Crypto.Insecure.SHA1.hash(bufferPointer: passwd) // $ Alert
-    hash = Crypto.Insecure.SHA1.hash(data: cert) // $ Alert
+    hash = Crypto.Insecure.SHA1.hash(data: passwd) // $ Alert[swift/weak-password-hashing]
+    hash = Crypto.Insecure.SHA1.hash(bufferPointer: passwd) // $ Alert[swift/weak-password-hashing]
+    hash = Crypto.Insecure.SHA1.hash(data: cert) // $ Alert[swift/weak-sensitive-data-hashing]
     hash = Crypto.Insecure.SHA1.hash(data: encrypted_passwd)  // GOOD  (not sensitive)
-    hash = Crypto.Insecure.SHA1.hash(data: account_no) // $ Alert
-    hash = Crypto.Insecure.SHA1.hash(data: credit_card_no) // $ Alert
+    hash = Crypto.Insecure.SHA1.hash(data: account_no) // $ Alert[swift/weak-sensitive-data-hashing]
+    hash = Crypto.Insecure.SHA1.hash(data: credit_card_no) // $ Alert[swift/weak-sensitive-data-hashing]
 
-    hash = Crypto.SHA256.hash(data: passwd) // $ Alert // BAD, not a computationally expensive hash
-    hash = Crypto.SHA256.hash(bufferPointer: passwd) // $ Alert // BAD, not a computationally expensive hash
+    hash = Crypto.SHA256.hash(data: passwd) // $ Alert[swift/weak-password-hashing] // BAD, not a computationally expensive hash
+    hash = Crypto.SHA256.hash(bufferPointer: passwd) // $ Alert[swift/weak-password-hashing] // BAD, not a computationally expensive hash
     hash = Crypto.SHA256.hash(data: cert)   // GOOD, computationally expensive hash not required
     hash = Crypto.SHA256.hash(data: encrypted_passwd)   // GOOD, not sensitive
     hash = Crypto.SHA256.hash(data: account_no)   // GOOD, computationally expensive hash not required
     hash = Crypto.SHA256.hash(data: credit_card_no)   // GOOD, computationally expensive hash not required
 
-    hash = Crypto.SHA384.hash(data: passwd) // $ Alert // BAD, not a computationally expensive hash
-    hash = Crypto.SHA384.hash(bufferPointer: passwd) // $ Alert // BAD, not a computationally expensive hash
+    hash = Crypto.SHA384.hash(data: passwd) // $ Alert[swift/weak-password-hashing] // BAD, not a computationally expensive hash
+    hash = Crypto.SHA384.hash(bufferPointer: passwd) // $ Alert[swift/weak-password-hashing] // BAD, not a computationally expensive hash
     hash = Crypto.SHA384.hash(data: cert)   // GOOD, computationally expensive hash not required
     hash = Crypto.SHA384.hash(data: encrypted_passwd)   // GOOD, not sensitive
     hash = Crypto.SHA384.hash(data: account_no)   // GOOD, computationally expensive hash not required
     hash = Crypto.SHA384.hash(data: credit_card_no)   // GOOD, computationally expensive hash not required
 
-    hash = Crypto.SHA512.hash(data: passwd) // $ Alert // BAD, not a computationally expensive hash
-    hash = Crypto.SHA512.hash(bufferPointer: passwd) // $ Alert // BAD, not a computationally expensive hash
+    hash = Crypto.SHA512.hash(data: passwd) // $ Alert[swift/weak-password-hashing] // BAD, not a computationally expensive hash
+    hash = Crypto.SHA512.hash(bufferPointer: passwd) // $ Alert[swift/weak-password-hashing] // BAD, not a computationally expensive hash
     hash = Crypto.SHA512.hash(data: cert)   // GOOD, computationally expensive hash not required
     hash = Crypto.SHA512.hash(data: encrypted_passwd)   // GOOD, not sensitive
     hash = Crypto.SHA512.hash(data: account_no)   // GOOD, computationally expensive hash not required
@@ -126,25 +126,25 @@ func testHashMethods(passwd : UnsafeRawBufferPointer, cert: String, encrypted_pa
 
 func testMD5UpdateWithData(passwd : String, cert: String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
     var hash = Crypto.Insecure.MD5()
-    hash.update(data: passwd) // $ Alert
-    hash.update(data: cert) // $ Alert
+    hash.update(data: passwd) // $ Alert[swift/weak-password-hashing]
+    hash.update(data: cert) // $ Alert[swift/weak-sensitive-data-hashing]
     hash.update(data: encrypted_passwd)  // GOOD  (not sensitive)
-    hash.update(data: account_no) // $ Alert
-    hash.update(data: credit_card_no) // $ Alert
+    hash.update(data: account_no) // $ Alert[swift/weak-sensitive-data-hashing]
+    hash.update(data: credit_card_no) // $ Alert[swift/weak-sensitive-data-hashing]
 }
 
 func testSHA1UpdateWithData(passwd : String, cert: String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
     var hash = Crypto.Insecure.SHA1()
-    hash.update(data: passwd) // $ Alert
-    hash.update(data: cert) // $ Alert
+    hash.update(data: passwd) // $ Alert[swift/weak-password-hashing]
+    hash.update(data: cert) // $ Alert[swift/weak-sensitive-data-hashing]
     hash.update(data: encrypted_passwd)  // GOOD  (not sensitive)
-    hash.update(data: account_no) // $ Alert
-    hash.update(data: credit_card_no) // $ Alert
+    hash.update(data: account_no) // $ Alert[swift/weak-sensitive-data-hashing]
+    hash.update(data: credit_card_no) // $ Alert[swift/weak-sensitive-data-hashing]
 }
 
 func testSHA256UpdateWithData(passwd : String, cert: String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
     var hash = Crypto.SHA256()
-    hash.update(data: passwd) // $ Alert // BAD, not a computationally expensive hash
+    hash.update(data: passwd) // $ Alert[swift/weak-password-hashing] // BAD, not a computationally expensive hash
     hash.update(data: cert)  // GOOD
     hash.update(data: encrypted_passwd)   // GOOD  (not sensitive)
     hash.update(data: account_no)   // GOOD
@@ -153,7 +153,7 @@ func testSHA256UpdateWithData(passwd : String, cert: String, encrypted_passwd :
 
 func testSHA384UpdateWithData(passwd : String, cert: String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
     var hash = Crypto.SHA384()
-    hash.update(data: passwd) // $ Alert // BAD, not a computationally expensive hash
+    hash.update(data: passwd) // $ Alert[swift/weak-password-hashing] // BAD, not a computationally expensive hash
     hash.update(data: cert)  // GOOD
     hash.update(data: encrypted_passwd)   // GOOD  (not sensitive)
     hash.update(data: account_no)   // GOOD
@@ -162,7 +162,7 @@ func testSHA384UpdateWithData(passwd : String, cert: String, encrypted_passwd :
 
 func testSHA512UpdateWithData(passwd : String, cert: String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
     var hash = Crypto.SHA512()
-    hash.update(data: passwd) // $ Alert // BAD, not a computationally expensive hash
+    hash.update(data: passwd) // $ Alert[swift/weak-password-hashing] // BAD, not a computationally expensive hash
     hash.update(data: cert)  // GOOD
     hash.update(data: encrypted_passwd)   // GOOD  (not sensitive)
     hash.update(data: account_no)   // GOOD
@@ -171,25 +171,25 @@ func testSHA512UpdateWithData(passwd : String, cert: String, encrypted_passwd :
 
 func testMD5UpdateWithUnsafeRawBufferPointer(passwd : UnsafeRawBufferPointer, cert: UnsafeRawBufferPointer, encrypted_passwd : UnsafeRawBufferPointer, account_no : UnsafeRawBufferPointer, credit_card_no : UnsafeRawBufferPointer) {
     var hash = Crypto.Insecure.MD5()
-    hash.update(bufferPointer: passwd) // $ Alert
-    hash.update(bufferPointer: cert) // $ Alert
+    hash.update(bufferPointer: passwd) // $ Alert[swift/weak-password-hashing]
+    hash.update(bufferPointer: cert) // $ Alert[swift/weak-sensitive-data-hashing]
     hash.update(bufferPointer: encrypted_passwd)  // GOOD  (not sensitive)
-    hash.update(bufferPointer: account_no) // $ Alert
-    hash.update(bufferPointer: credit_card_no) // $ Alert
+    hash.update(bufferPointer: account_no) // $ Alert[swift/weak-sensitive-data-hashing]
+    hash.update(bufferPointer: credit_card_no) // $ Alert[swift/weak-sensitive-data-hashing]
 }
 
 func testSHA1UpdateWithUnsafeRawBufferPointer(passwd : UnsafeRawBufferPointer, cert: UnsafeRawBufferPointer, encrypted_passwd : UnsafeRawBufferPointer, account_no : UnsafeRawBufferPointer, credit_card_no : UnsafeRawBufferPointer) {
     var hash = Crypto.Insecure.SHA1()
-    hash.update(bufferPointer: passwd) // $ Alert
-    hash.update(bufferPointer: cert) // $ Alert
+    hash.update(bufferPointer: passwd) // $ Alert[swift/weak-password-hashing]
+    hash.update(bufferPointer: cert) // $ Alert[swift/weak-sensitive-data-hashing]
     hash.update(bufferPointer: encrypted_passwd)  // GOOD  (not sensitive)
-    hash.update(bufferPointer: account_no) // $ Alert
-    hash.update(bufferPointer: credit_card_no) // $ Alert
+    hash.update(bufferPointer: account_no) // $ Alert[swift/weak-sensitive-data-hashing]
+    hash.update(bufferPointer: credit_card_no) // $ Alert[swift/weak-sensitive-data-hashing]
 }
 
 func testSHA256UpdateWithUnsafeRawBufferPointer(passwd : UnsafeRawBufferPointer, cert: UnsafeRawBufferPointer, encrypted_passwd : UnsafeRawBufferPointer, account_no : UnsafeRawBufferPointer, credit_card_no : UnsafeRawBufferPointer) {
     var hash = Crypto.SHA256()
-    hash.update(bufferPointer: passwd) // $ Alert // BAD, not a computationally expensive hash
+    hash.update(bufferPointer: passwd) // $ Alert[swift/weak-password-hashing] // BAD, not a computationally expensive hash
     hash.update(bufferPointer: cert)  // GOOD
     hash.update(bufferPointer: encrypted_passwd)  // GOOD  (not sensitive)
     hash.update(bufferPointer: account_no)   // GOOD
@@ -198,7 +198,7 @@ func testSHA256UpdateWithUnsafeRawBufferPointer(passwd : UnsafeRawBufferPointer,
 
 func testSHA384UpdateWithUnsafeRawBufferPointer(passwd : UnsafeRawBufferPointer, cert: UnsafeRawBufferPointer, encrypted_passwd : UnsafeRawBufferPointer, account_no : UnsafeRawBufferPointer, credit_card_no : UnsafeRawBufferPointer) {
     var hash = Crypto.SHA384()
-    hash.update(bufferPointer: passwd) // $ Alert // BAD, not a computationally expensive hash
+    hash.update(bufferPointer: passwd) // $ Alert[swift/weak-password-hashing] // BAD, not a computationally expensive hash
     hash.update(bufferPointer: cert)  // GOOD
     hash.update(bufferPointer: encrypted_passwd)  // GOOD  (not sensitive)
     hash.update(bufferPointer: account_no)   // GOOD
@@ -207,7 +207,7 @@ func testSHA384UpdateWithUnsafeRawBufferPointer(passwd : UnsafeRawBufferPointer,
 
 func testSHA512UpdateWithUnsafeRawBufferPointer(passwd : UnsafeRawBufferPointer, cert: UnsafeRawBufferPointer, encrypted_passwd : UnsafeRawBufferPointer, account_no : UnsafeRawBufferPointer, credit_card_no : UnsafeRawBufferPointer) {
     var hash = Crypto.SHA512()
-    hash.update(bufferPointer: passwd) // $ Alert // BAD, not a computationally expensive hash
+    hash.update(bufferPointer: passwd) // $ Alert[swift/weak-password-hashing] // BAD, not a computationally expensive hash
     hash.update(bufferPointer: cert)  // GOOD
     hash.update(bufferPointer: encrypted_passwd)  // GOOD  (not sensitive)
     hash.update(bufferPointer: account_no)   // GOOD
@@ -217,30 +217,30 @@ func testSHA512UpdateWithUnsafeRawBufferPointer(passwd : UnsafeRawBufferPointer,
 func testBadExample(passwordString: String) {
     // this is the "bad" example from the .qhelp
     let passwordData = Data(passwordString.utf8)
-    let passwordHash = Crypto.SHA512.hash(data: passwordData) // $ Alert // BAD, not a computationally expensive hash
+    let passwordHash = Crypto.SHA512.hash(data: passwordData) // $ Alert[swift/weak-password-hashing] // BAD, not a computationally expensive hash
 
     // ...
 
-    if Crypto.SHA512.hash(data: Data(passwordString.utf8)) == passwordHash { // $ Alert // BAD, not a computationally expensive hash
+    if Crypto.SHA512.hash(data: Data(passwordString.utf8)) == passwordHash { // $ Alert[swift/weak-password-hashing] // BAD, not a computationally expensive hash
 	    // ...
     }
 }
 
 func testWithFlowAndMetatypes(cardNumber: String) {
-    let value1 = Data(cardNumber.utf8); // $ Source
-    let _digest1 = Insecure.MD5.hash(data: value1); // $ Alert
+    let value1 = Data(cardNumber.utf8); // $ Source[swift/weak-sensitive-data-hashing]
+    let _digest1 = Insecure.MD5.hash(data: value1); // $ Alert[swift/weak-sensitive-data-hashing]
 
-    let value2 = Data(cardNumber.utf8); // $ Source
+    let value2 = Data(cardNumber.utf8); // $ Source[swift/weak-sensitive-data-hashing]
     let hasher2 = Insecure.MD5.self; // metatype
-    let _digest2 = hasher2.hash(data: value2); // $ Alert
+    let _digest2 = hasher2.hash(data: value2); // $ Alert[swift/weak-sensitive-data-hashing]
 
-    let value3 = Data(cardNumber.utf8); // $ Source
-    let _digest3 = (Insecure.MD5.self).hash(data: value3); // $ Alert
+    let value3 = Data(cardNumber.utf8); // $ Source[swift/weak-sensitive-data-hashing]
+    let _digest3 = (Insecure.MD5.self).hash(data: value3); // $ Alert[swift/weak-sensitive-data-hashing]
 
-    let value4 = Data(cardNumber.utf8); // $ Source
+    let value4 = Data(cardNumber.utf8); // $ Source[swift/weak-sensitive-data-hashing]
     testReceiver1(value: value4);
 
-    let value5 = Data(cardNumber.utf8); // $ Source
+    let value5 = Data(cardNumber.utf8); // $ Source[swift/weak-sensitive-data-hashing]
     testReceiver2(hasher: Insecure.MD5.self, value: value5);
 
     let value6 = Data(cardNumber.utf8);
@@ -248,11 +248,11 @@ func testWithFlowAndMetatypes(cardNumber: String) {
 }
 
 func testReceiver1(value: Data) {
-    let _digest = Insecure.MD5.hash(data: value); // $ Alert
+    let _digest = Insecure.MD5.hash(data: value); // $ Alert[swift/weak-sensitive-data-hashing]
 }
 
 func testReceiver2(hasher: Insecure.MD5.Type, value: Data) {
-    let _digest = hasher.hash(data: value); // $ Alert
+    let _digest = hasher.hash(data: value); // $ Alert[swift/weak-sensitive-data-hashing]
 }
 
 func testReceiver3<H: HashFunction>(hasher: H.Type, value: Data) {
diff --git a/swift/ql/test/query-tests/Security/CWE-328/testCryptoSwift.swift b/swift/ql/test/query-tests/Security/CWE-328/testCryptoSwift.swift
index 54d04b14069..a6f4584230e 100644
--- a/swift/ql/test/query-tests/Security/CWE-328/testCryptoSwift.swift
+++ b/swift/ql/test/query-tests/Security/CWE-328/testCryptoSwift.swift
@@ -150,83 +150,83 @@ extension String {
 
 func testArrays(harmlessArray: Array<UInt8>, phoneNumberArray: Array<UInt8>, passwdArray: Array<UInt8>) {
     _ = MD5().calculate(for: harmlessArray) // GOOD (not sensitive)
-    _ = MD5().calculate(for: phoneNumberArray) // $ Alert
-    _ = MD5().calculate(for: passwdArray) // $ Alert
+    _ = MD5().calculate(for: phoneNumberArray) // $ Alert[swift/weak-sensitive-data-hashing]
+    _ = MD5().calculate(for: passwdArray) // $ Alert[swift/weak-password-hashing]
     _ = SHA1().calculate(for: harmlessArray) // GOOD (not sensitive)
-    _ = SHA1().calculate(for: phoneNumberArray) // $ Alert
-    _ = SHA1().calculate(for: passwdArray) // $ Alert
+    _ = SHA1().calculate(for: phoneNumberArray) // $ Alert[swift/weak-sensitive-data-hashing]
+    _ = SHA1().calculate(for: passwdArray) // $ Alert[swift/weak-password-hashing]
     _ = SHA2(variant: .sha512).calculate(for: harmlessArray) // GOOD
     _ = SHA2(variant: .sha512).calculate(for: phoneNumberArray) // GOOD
-    _ = SHA2(variant: .sha512).calculate(for: passwdArray) // $ Alert
+    _ = SHA2(variant: .sha512).calculate(for: passwdArray) // $ Alert[swift/weak-password-hashing]
     _ = SHA3(variant: .sha512).calculate(for: harmlessArray) // GOOD
     _ = SHA3(variant: .sha512).calculate(for: phoneNumberArray) // GOOD
-    _ = SHA3(variant: .sha512).calculate(for: passwdArray) // $ Alert
+    _ = SHA3(variant: .sha512).calculate(for: passwdArray) // $ Alert[swift/weak-password-hashing]
 
     _ = Digest.md5(harmlessArray) // GOOD (not sensitive)
-    _ = Digest.md5(phoneNumberArray) // $ Alert
-    _ = Digest.md5(passwdArray) // $ Alert
+    _ = Digest.md5(phoneNumberArray) // $ Alert[swift/weak-sensitive-data-hashing]
+    _ = Digest.md5(passwdArray) // $ Alert[swift/weak-password-hashing]
     _ = Digest.sha1(harmlessArray) // GOOD (not sensitive)
-    _ = Digest.sha1(phoneNumberArray) // $ Alert
-    _ = Digest.sha1(passwdArray) // $ Alert
+    _ = Digest.sha1(phoneNumberArray) // $ Alert[swift/weak-sensitive-data-hashing]
+    _ = Digest.sha1(passwdArray) // $ Alert[swift/weak-password-hashing]
     _ = Digest.sha512(harmlessArray) // GOOD (not sensitive)
     _ = Digest.sha512(phoneNumberArray) // GOOD
-    _ = Digest.sha512(passwdArray) // $ Alert
+    _ = Digest.sha512(passwdArray) // $ Alert[swift/weak-password-hashing]
     _ = Digest.sha2(harmlessArray, variant: .sha512) // GOOD (not sensitive)
     _ = Digest.sha2(phoneNumberArray, variant: .sha512) // GOOD
-    _ = Digest.sha2(passwdArray, variant: .sha512) // $ Alert
+    _ = Digest.sha2(passwdArray, variant: .sha512) // $ Alert[swift/weak-password-hashing]
     _ = Digest.sha3(harmlessArray, variant: .sha512) // GOOD (not sensitive)
     _ = Digest.sha3(phoneNumberArray, variant: .sha512) // GOOD
-    _ = Digest.sha3(passwdArray, variant: .sha512) // $ Alert
+    _ = Digest.sha3(passwdArray, variant: .sha512) // $ Alert[swift/weak-password-hashing]
 
     _ = harmlessArray.md5() // GOOD (not sensitive)
-    _ = phoneNumberArray.md5() // $ Alert
-    _ = passwdArray.md5() // $ Alert
+    _ = phoneNumberArray.md5() // $ Alert[swift/weak-sensitive-data-hashing]
+    _ = passwdArray.md5() // $ Alert[swift/weak-password-hashing]
     _ = harmlessArray.sha1() // GOOD (not sensitive)
-    _ = phoneNumberArray.sha1() // $ Alert
-    _ = passwdArray.sha1() // $ Alert
+    _ = phoneNumberArray.sha1() // $ Alert[swift/weak-sensitive-data-hashing]
+    _ = passwdArray.sha1() // $ Alert[swift/weak-password-hashing]
     _ = harmlessArray.sha512() // GOOD
     _ = phoneNumberArray.sha512() // GOOD
-    _ = passwdArray.sha512() // $ Alert
+    _ = passwdArray.sha512() // $ Alert[swift/weak-password-hashing]
     _ = harmlessArray.sha2(.sha512) // GOOD
     _ = phoneNumberArray.sha2(.sha512) // GOOD
-    _ = passwdArray.sha2(.sha512) // $ Alert
+    _ = passwdArray.sha2(.sha512) // $ Alert[swift/weak-password-hashing]
     _ = harmlessArray.sha3(.sha512) // GOOD
     _ = phoneNumberArray.sha3(.sha512) // GOOD
-    _ = passwdArray.sha3(.sha512) // $ Alert
+    _ = passwdArray.sha3(.sha512) // $ Alert[swift/weak-password-hashing]
 }
 
 func testData(harmlessData: Data, medicalData: Data, passwdData: Data) {
     _ = harmlessData.md5() // GOOD (not sensitive)
-    _ = medicalData.md5() // $ Alert
-    _ = passwdData.md5() // $ Alert
+    _ = medicalData.md5() // $ Alert[swift/weak-sensitive-data-hashing]
+    _ = passwdData.md5() // $ Alert[swift/weak-password-hashing]
     _ = harmlessData.sha1() // GOOD (not sensitive)
-    _ = medicalData.sha1() // $ Alert
-    _ = passwdData.sha1() // $ Alert
+    _ = medicalData.sha1() // $ Alert[swift/weak-sensitive-data-hashing]
+    _ = passwdData.sha1() // $ Alert[swift/weak-password-hashing]
     _ = harmlessData.sha512() // GOOD
     _ = medicalData.sha512() // GOOD
-    _ = passwdData.sha512() // $ Alert
+    _ = passwdData.sha512() // $ Alert[swift/weak-password-hashing]
     _ = harmlessData.sha2(.sha512) // GOOD
     _ = medicalData.sha2(.sha512) // GOOD
-    _ = passwdData.sha2(.sha512) // $ Alert
+    _ = passwdData.sha2(.sha512) // $ Alert[swift/weak-password-hashing]
     _ = harmlessData.sha3(.sha512) // GOOD
     _ = medicalData.sha3(.sha512) // GOOD
-    _ = passwdData.sha3(.sha512) // $ Alert
+    _ = passwdData.sha3(.sha512) // $ Alert[swift/weak-password-hashing]
 }
 
 func testStrings(creditCardNumber: String, passwd: String) {
     _ = "harmless".md5() // GOOD (not sensitive)
-    _ = creditCardNumber.md5() // $ Alert
-    _ = passwd.md5() // $ Alert
+    _ = creditCardNumber.md5() // $ Alert[swift/weak-sensitive-data-hashing]
+    _ = passwd.md5() // $ Alert[swift/weak-password-hashing]
     _ = "harmless".sha1() // GOOD (not sensitive)
-    _ = creditCardNumber.sha1() // $ Alert
-    _ = passwd.sha1() // $ Alert
+    _ = creditCardNumber.sha1() // $ Alert[swift/weak-sensitive-data-hashing]
+    _ = passwd.sha1() // $ Alert[swift/weak-password-hashing]
     _ = "harmless".sha512() // GOOD
     _ = creditCardNumber.sha512() // GOOD
-    _ = passwd.sha512() // $ Alert
+    _ = passwd.sha512() // $ Alert[swift/weak-password-hashing]
     _ = "harmless".sha2(.sha512) // GOOD
     _ = creditCardNumber.sha2(.sha512) // GOOD
-    _ = passwd.sha2(.sha512) // $ Alert
+    _ = passwd.sha2(.sha512) // $ Alert[swift/weak-password-hashing]
     _ = "harmless".sha3(.sha512) // GOOD
     _ = creditCardNumber.sha3(.sha512) // GOOD
-    _ = passwd.sha3(.sha512) // $ Alert
+    _ = passwd.sha3(.sha512) // $ Alert[swift/weak-password-hashing]
 }