diff --git a/keystone/auth/plugins/totp.py b/keystone/auth/plugins/totp.py
index 9627411da6..40561c7e84 100644
--- a/keystone/auth/plugins/totp.py
+++ b/keystone/auth/plugins/totp.py
@@ -60,8 +60,12 @@ def _generate_totp_passcode(secret):
         secret = secret + b'='
 
     decoded = base64.b32decode(secret)
+    # NOTE(lhinds) This is marked as #nosec since bandit will see SHA1
+    # which is marked as insecure. In this instance however, keystone uses
+    # HMAC-SHA1 when generating the TOTP, which is currently not insecure but
+    # will still trigger when scanned by bandit.
     totp = crypto_totp.TOTP(
-        decoded, 6, hashes.SHA1(), 30, backend=default_backend())
+        decoded, 6, hashes.SHA1(), 30, backend=default_backend())  # nosec
     return totp.generate(timeutils.utcnow_ts(microsecond=True)).decode('utf-8')
 
 
diff --git a/keystone/credential/providers/fernet/core.py b/keystone/credential/providers/fernet/core.py
index 97c47a987b..11fd95676e 100644
--- a/keystone/credential/providers/fernet/core.py
+++ b/keystone/credential/providers/fernet/core.py
@@ -57,7 +57,11 @@ def primary_key_hash(keys):
     """Calculate a hash of the primary key used for encryption."""
     if isinstance(keys[0], six.text_type):
         keys[0] = keys[0].encode('utf-8')
-    return hashlib.sha1(keys[0]).hexdigest()
+    # NOTE(lhinds) This is marked as #nosec since bandit will see SHA1 which
+    # is marked as insecure. However, this hash function is used alongside
+    # encrypted blobs to implement HMAC-SHA1, which is currently not insecure
+    # but will still trigger when scanned by bandit.
+    return hashlib.sha1(keys[0]).hexdigest()  # nosec
 
 
 class Provider(core.Provider):
diff --git a/keystone/tests/unit/credential/test_fernet_provider.py b/keystone/tests/unit/credential/test_fernet_provider.py
index b97d59af17..c5ea7d41e8 100644
--- a/keystone/tests/unit/credential/test_fernet_provider.py
+++ b/keystone/tests/unit/credential/test_fernet_provider.py
@@ -64,7 +64,11 @@ class TestFernetCredentialProviderWithNullKey(unit.TestCase):
 
     def test_encryption_with_null_key(self):
         null_key = fernet_utils.NULL_KEY
-        null_key_hash = hashlib.sha1(null_key).hexdigest()
+        # NOTE(lhinds) This is marked as #nosec since bandit will see SHA1
+        # which is marked insecure. Keystone uses SHA1 in this case as part of
+        # HMAC-SHA1 which is currently not insecure but will still get
+        # caught when scanning with bandit.
+        null_key_hash = hashlib.sha1(null_key).hexdigest()  # nosec
 
         blob = uuid.uuid4().hex
         encrypted_blob, primary_key_hash = self.provider.encrypt(blob)