diff --git a/test-requirements.txt b/test-requirements.txt
index 57cb50c7..891fe4f7 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -7,3 +7,6 @@ psycopg2==2.7.3
 
 # Linting
 flake8==3.3.0
+
+# Security scanning
+bandit>=1.1.0 # Apache-2.0
\ No newline at end of file
diff --git a/tox.ini b/tox.ini
index 5ae783bc..db59bd4c 100644
--- a/tox.ini
+++ b/tox.ini
@@ -13,6 +13,9 @@ commands=
 [testenv:pep8]
 commands = flake8 {posargs}
 
+[testenv:bandit]
+commands = bandit -r shipyard_airflow -x tests -n 5
+
 [flake8]
 # NOTE(Bryan Strassner) ignoring F841 because of the airflow example pattern
 #     of naming variables even if they aren't used for DAGs and Operators.