diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index ca3acbe..239df13 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -24,3 +24,8 @@ repos:
       - id: hacking
         additional_dependencies: []
         exclude: '^(doc|releasenotes|tools)/.*$'
+  - repo: https://github.com/PyCQA/bandit
+    rev: 1.7.6
+    hooks:
+      - id: bandit
+        args: ['-x', 'tests', '--skip', 'B411']
diff --git a/requirements.txt b/requirements.txt
index 64c3a9f..8d2ae19 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,7 +1,3 @@
-# The order of packages is significant, because pip processes them in the order
-# of appearance. Changing the order has an impact on the overall integration
-# process, which may cause wedges in the gate later.
-
 # NOTE(harlowja): Because oslo.serialization is used by the client libraries,
 # we do not want to add a lot of dependencies to it. If you find that
 # adding a new feature to oslo.serialization means adding a new dependency,
diff --git a/test-requirements.txt b/test-requirements.txt
index 941f435..7ccc454 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -1,15 +1,5 @@
-# The order of packages is significant, because pip processes them in the order
-# of appearance. Changing the order has an impact on the overall integration
-# process, which may cause wedges in the gate later.
-hacking>=3.0.1,<3.1.0 # Apache-2.0
 netaddr>=0.7.18 # BSD
 stestr>=2.0.0 # Apache-2.0
-
 oslotest>=3.2.0 # Apache-2.0
 oslo.i18n>=3.15.3 # Apache-2.0
 coverage!=4.4,>=4.0 # Apache-2.0
-
-# Bandit security code scanner
-bandit>=1.7.0,<1.8.0 # Apache-2.0
-
-pre-commit>=2.6.0 # MIT
diff --git a/tox.ini b/tox.ini
index ea2f862..a6249b1 100644
--- a/tox.ini
+++ b/tox.ini
@@ -10,10 +10,10 @@ deps =
 commands = stestr run --slowest {posargs}
 
 [testenv:pep8]
+deps =
+  pre-commit
 commands =
   pre-commit run -a
-  # Run security linter
-  bandit -r oslo_serialization tests -n5 --skip B411
 
 [testenv:venv]
 commands = {posargs}