diff --git a/test-requirements.txt b/test-requirements.txt
index 975f9f228..0ef7dc029 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -21,3 +21,6 @@ os-api-ref>=1.0.0 # Apache-2.0
 oslosphinx>=4.7.0 # Apache-2.0
 sphinx!=1.3b1,<1.4,>=1.2.1 # BSD
 reno>=1.8.0 # Apache2
+
+# Bandit build requirements
+bandit>=1.1.0 # Apache-2.0
diff --git a/tox.ini b/tox.ini
index 258d53620..d4ff0ffd7 100644
--- a/tox.ini
+++ b/tox.ini
@@ -101,3 +101,7 @@ max-complexity=20
 [hacking]
 local-check-factory = senlin.hacking.checks.factory
 import_exceptions = senlin.common.i18n
+
+[testenv:bandit]
+deps = -r{toxinidir}/test-requirements.txt
+commands = bandit -r senlin -x tests -s B101,B104,B110,B310,B311,B506