From f2f4f4cce3e8f774dc68722d38fd30d12b61a498 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Wed, 6 May 2026 14:19:08 +0100
Subject: [PATCH] Shared: Add 'security_code' sensitive data heuristic.

---
 rust/ql/test/library-tests/sensitivedata/test.rs                | 2 +-
 .../codeql/concepts/internal/SensitiveDataHeuristics.qll        | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/rust/ql/test/library-tests/sensitivedata/test.rs b/rust/ql/test/library-tests/sensitivedata/test.rs
index 2fa22152c83..e2bb5a5f595 100644
--- a/rust/ql/test/library-tests/sensitivedata/test.rs
+++ b/rust/ql/test/library-tests/sensitivedata/test.rs
@@ -315,7 +315,7 @@ fn test_private_info(
 	sink(info.financials.credit_card_no.as_str()); // $ sensitive=private
 	sink(info.financials.card_no.as_str()); // $ sensitive=private
 	sink(info.financials.cardNumber.as_str()); // $ sensitive=private
-	sink(info.financials.card_security_code.as_str()); // $ MISSING: sensitive=private
+	sink(info.financials.card_security_code.as_str()); // $ sensitive=private
 	sink(info.financials.credit_rating); // $ sensitive=private
 	sink(info.financials.user_ccn.as_str()); // $ sensitive=private
 	sink(info.financials.cvv.as_str()); // $ sensitive=private
diff --git a/shared/concepts/codeql/concepts/internal/SensitiveDataHeuristics.qll b/shared/concepts/codeql/concepts/internal/SensitiveDataHeuristics.qll
index 80ef76c76ac..f3b979d2e3b 100644
--- a/shared/concepts/codeql/concepts/internal/SensitiveDataHeuristics.qll
+++ b/shared/concepts/codeql/concepts/internal/SensitiveDataHeuristics.qll
@@ -106,6 +106,7 @@ module HeuristicNames {
         // Financial data - such as credit card numbers, salary, bank accounts, and debts
         "(credit|debit|bank|visa).?(card|num|no|acc(ou)?nt)|(card|acc(ou)?nt).?(no|num|credit)|routing.?num|"
         + "salary|billing|beneficiary|credit.?(rating|score)|([_-]|\\b)(ccn|cvv|iban)([_-]|\\b)|" +
+        "security.?code|" +
         // Communications - e-mail addresses, private e-mail messages, SMS text messages, chat logs, etc.
         // "e(mail|_mail)|" + // this seems too noisy
         // Health - medical conditions, insurance status, prescription records