diff --git a/test-requirements.txt b/test-requirements.txt
index c2691095..4f5d807b 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -3,7 +3,8 @@
 # process, which may cause wedges in the gate later.
 
 # Install bounded pep8/pyflakes first, then let flake8 install
-hacking<0.11,>=0.10.2
+hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0
+bandit>=1.1.0 # Apache-2.0
 
 fixtures>=3.0.0 # Apache-2.0/BSD
 coverage>=4.0 # Apache-2.0
diff --git a/tox.ini b/tox.ini
index e1df94ec..82ad6d43 100644
--- a/tox.ini
+++ b/tox.ini
@@ -25,6 +25,8 @@ commands =
     # Ignore too long lines error E006 from bashate and treat
     # E005, E042 as errors.
     bashate -v -iE006 -eE005,E042 devstack/plugin.sh
+    # FIXME(dmllr); B101 needs to be fixed first
+    bandit -r monasca_log_api -n5 -s B101 -x monasca_log_api/tests
 
 [testenv:cover]
 setenv =