diff --git a/test-requirements.txt b/test-requirements.txt
index 58c378ae7..eb3bcf118 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -3,6 +3,7 @@
 # process, which may cause wedges in the gate later.
 hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0
 
+bandit>=1.1.0 # Apache-2.0
 coverage!=4.4,>=4.0 # Apache-2.0
 fixtures>=3.0.0 # Apache-2.0/BSD
 flake8-import-order==0.12 # LGPLv3
diff --git a/tox.ini b/tox.ini
index 2d3cd408d..d534b0cb6 100644
--- a/tox.ini
+++ b/tox.ini
@@ -25,7 +25,9 @@ commands = sh -c "find . -type d -name '.?*' -prune -o \
 whitelist_externals = sh
 
 [testenv:pep8]
-commands = flake8
+commands =
+  flake8
+  {[testenv:bandit]commands}
 distribute = false
 
 [testenv:venv]
@@ -62,6 +64,10 @@ import-order-style = pep8
 # H904: Delay string interpolations at logging calls
 enable-extensions=H904
 
+[testenv:bandit]
+deps = -r{toxinidir}/test-requirements.txt
+commands = bandit -r neutronclient -x tests -n5
+
 [testenv:lower-constraints]
 basepython = python3
 deps =