diff --git a/test-requirements.txt b/test-requirements.txt
index 6ec717e..6b97fd6 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -13,3 +13,7 @@ coverage!=4.4,>=4.0 # Apache-2.0
 nodeenv>=0.9.4 # BSD
 pytest>=5.3.5 # MIT
 testtools>=2.2.0 # MIT
+
+# bandit is not included in upper-constraints, so we need to pin it here to a
+# known working version
+bandit==1.6.2 # Apache-2.0
diff --git a/tox.ini b/tox.ini
index 9836d54..2254125 100644
--- a/tox.ini
+++ b/tox.ini
@@ -73,3 +73,7 @@ deps =
   -c{toxinidir}/lower-constraints.txt
   -r{toxinidir}/test-requirements.txt
   -r{toxinidir}/requirements.txt
+
+[testenv:bandit]
+deps = -r{toxinidir}/test-requirements.txt
+commands = bandit -r blazar_dashboard -l -n 5 -x blazar_dashboard/test