diff --git a/.zuul.yaml b/.zuul.yaml
index 822fa1f694..776984deab 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -60,6 +60,21 @@
       tempest_test_regex: horizon
       tox_envlist: all
 
+- job:
+    # Security testing for known issues
+    name: horizon-tox-bandit-baseline
+    parent: openstack-tox
+    timeout: 2400
+    vars:
+      tox_envlist: bandit-baseline
+    irrelevant-files:
+      - ^.*\.rst$
+      - ^.*\locale/.*$
+      - ^doc/.*$
+      - ^releasenotes/.*$
+      - ^setup.cfg$
+      - ^tools/.*$
+
 - project:
     check:
       jobs:
@@ -68,6 +83,8 @@
             voting: false
         - horizon-dsvm-tempest-plugin
         - openstack-tox-lower-constraints
+        - horizon-tox-bandit-baseline:
+            voting: false
     gate:
       jobs:
         - horizon-openstack-tox-python3-django111
diff --git a/test-requirements.txt b/test-requirements.txt
index 5e05bf39ef..e94e6e149f 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -9,6 +9,7 @@
 # Hacking should appear first in case something else depends on pep8
 hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0
 #
+bandit>=1.4.0 # Apache-2.0
 coverage!=4.4,>=4.0 # Apache-2.0
 doc8>=0.6.0 # Apache-2.0
 flake8-import-order==0.12 # LGPLv3
diff --git a/tox.ini b/tox.ini
index f3d5aa2e5f..701d74d9d9 100644
--- a/tox.ini
+++ b/tox.ini
@@ -177,6 +177,13 @@ application-import-names = horizon,openstack_dashboard
 [hacking]
 local-check-factory = horizon.hacking.checks.factory
 
+[testenv:bandit]
+commands = bandit -r horizon openstack_auth openstack_dashboard -n5 -x tests -ll
+
+[testenv:bandit-baseline]
+envdir = {toxworkdir}/bandit
+commands = bandit-baseline -r horizon  openstack_auth openstack_dashboard -n5 -x tests -ii -ll
+
 [doc8]
 # File extensions to check
 extensions = .rst, .yaml