diff --git a/test-requirements.txt b/test-requirements.txt
index 7b7ad2ed49..f58fa98713 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -19,3 +19,4 @@ WebTest>=2.0 # MIT
 # This is needed for subunit-trace
 tempest-lib>=0.13.0 # Apache-2.0
 reno>=0.1.1 # Apache2
+bandit>=0.17.3 # Apache-2.0
\ No newline at end of file
diff --git a/tox.ini b/tox.ini
index 438cbd3f63..8c743bcbd1 100644
--- a/tox.ini
+++ b/tox.ini
@@ -53,6 +53,10 @@ commands =
   neutron-db-manage --subproject vmware-nsx check_migration
 whitelist_externals = sh
 
+[testenv:bandit]
+deps = -r{toxinidir}/test-requirements.txt
+commands = bandit -r vmware_nsx -n 5 -ll
+
 [testenv:cover]
 commands =
   python setup.py testr --coverage --testr-args='{posargs}'