diff --git a/python/ql/src/experimental/Security/CWE-287-ConstantSecretKey/WebAppConstantSecretKey.ql b/python/ql/src/experimental/Security/CWE-287-ConstantSecretKey/WebAppConstantSecretKey.ql
index f540adf252b..a7e0bf22736 100644
--- a/python/ql/src/experimental/Security/CWE-287-ConstantSecretKey/WebAppConstantSecretKey.ql
+++ b/python/ql/src/experimental/Security/CWE-287-ConstantSecretKey/WebAppConstantSecretKey.ql
@@ -19,6 +19,7 @@ import semmle.python.ApiGraphs
 import semmle.python.dataflow.new.TaintTracking
 import WebAppConstantSecretKeyDjango
 import WebAppConstantSecretKeyFlask
+import semmle.python.filters.Tests
 
 newtype TFrameWork =
   Flask() or
@@ -33,7 +34,13 @@ module WebAppConstantSecretKeyConfig implements DataFlow::StateConfigSig {
     state = Django() and DjangoConstantSecretKeyConfig::isSource(source)
   }
 
-  predicate isBarrier(DataFlow::Node node) { node.getLocation().getFile().inStdlib() }
+  predicate isBarrier(DataFlow::Node node) {
+    node.getLocation().getFile().inStdlib() or
+    node.getLocation()
+        .getFile()
+        .getAbsolutePath()
+        .matches(["%test%", "%demo%", "%example%", "%sample%"])
+  }
 
   predicate isSink(DataFlow::Node sink, FlowState state) {
     state = Flask() and FlaskConstantSecretKeyConfig::isSink(sink)