diff --git a/test-requirements.txt b/test-requirements.txt
index cbd7550581..19037e43e9 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -1,6 +1,7 @@
 # The order of packages is significant, because pip processes them in the order
 # of appearance. Changing the order has an impact on the overall integration
 # process, which may cause wedges in the gate later.
+bandit>=0.17.3 # Apache-2.0
 bashate>=0.2 # Apache-2.0
 hacking>=0.10.0
 oslo.log>=1.14.0 # Apache-2.0
diff --git a/tox.ini b/tox.ini
index 3816cde612..753b6f359b 100644
--- a/tox.ini
+++ b/tox.ini
@@ -24,6 +24,9 @@ commands =
   {toxinidir}/tools/validate-all-yaml.sh
   {toxinidir}/tools/validate-all-maintainer.sh
 
+[testenv:bandit]
+commands = bandit -r ansible/library dev docker kolla tests tools
+
 [testenv:venv]
 commands = {posargs}