diff --git a/monasca_notification/main.py b/monasca_notification/main.py
index bc86265..0d8b232 100644
--- a/monasca_notification/main.py
+++ b/monasca_notification/main.py
@@ -1,4 +1,4 @@
-# (C) Copyright 2014-2016 Hewlett Packard Enterprise Development Company LP
+# (C) Copyright 2014-2017 Hewlett Packard Enterprise Development LP
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -56,7 +56,9 @@ def clean_exit(signum, frame=None):
             if process.is_alive():
                 process.terminate()  # Sends sigterm which any processes after a notification is sent attempt to handle
                 wait_for_exit = True
-        except Exception:
+        except Exception:  # nosec
+            # There is really nothing to do if the kill fails, so just go on.
+            # The # nosec keeps bandit from reporting this as a security issue
             pass
 
     # wait for a couple seconds to give the subprocesses a chance to shut down correctly.
@@ -68,7 +70,9 @@ def clean_exit(signum, frame=None):
         log.debug('Killing pid %s' % child.pid)
         try:
             os.kill(child.pid, signal.SIGKILL)
-        except Exception:
+        except Exception:  # nosec
+            # There is really nothing to do if the kill fails, so just go on.
+            # The # nosec keeps bandit from reporting this as a security issue
             pass
 
     if signum == signal.SIGTERM:
diff --git a/test-requirements.txt b/test-requirements.txt
index 18a38c7..5ff92f1 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -2,6 +2,7 @@
 # of appearance. Changing the order has an impact on the overall integration
 # process, which may cause wedges in the gate later.
 # Hacking already pins down pep8, pyflakes and flake8
+bandit>=1.1.0  # Apache-2.0
 hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0
 coverage>=4.0 # Apache-2.0
 mock>=2.0 # BSD
diff --git a/tox.ini b/tox.ini
index 6fc407c..a9976c0 100644
--- a/tox.ini
+++ b/tox.ini
@@ -56,11 +56,19 @@ commands =
   oslo_debug_helper -t ./monasca_notification/tests {posargs}
 
 [testenv:pep8]
-commands = flake8
+deps =
+  {[testenv]deps}
+commands =
+  {[testenv:flake8]commands}
+  {[bandit]commands}
 
 [testenv:venv]
 commands = {posargs}
 
+[testenv:flake8]
+commands =
+    flake8 monasca_notification
+
 [flake8]
 max-line-length = 120
 # TODO: ignored checks should be enabled in the future
@@ -68,3 +76,7 @@ max-line-length = 120
 # H405  multi line docstring summary not separated with an empty line
 ignore = F821,H201,H405
 exclude=.venv,.git,.tox,dist,*egg,build
+
+[bandit]
+commands =
+  bandit -r monasca_notification -n5 -x monasca_notification/tests