diff --git a/lower-constraints.txt b/lower-constraints.txt
index a0dada5f670..cee619c3351 100644
--- a/lower-constraints.txt
+++ b/lower-constraints.txt
@@ -3,7 +3,6 @@ alembic==0.9.6
 amqp==2.5.0
 appdirs==1.4.3
 Babel==2.3.4
-bashate==0.5.1
 beautifulsoup4==4.6.0
 cachetools==2.0.0
 cryptography<3.3
diff --git a/test-requirements.txt b/test-requirements.txt
index 1a0b5ddb898..09017a1991d 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -1,11 +1,8 @@
 # The order of packages is significant, because pip processes them in the order
 # of appearance. Changing the order has an impact on the overall integration
 # process, which may cause wedges in the gate later.
-hacking>=3.0.1,<3.1.0 # Apache-2.0
-bandit!=1.6.0,>=1.1.0 # Apache-2.0
 coverage!=4.4,>=4.0 # Apache-2.0
 fixtures>=3.0.0 # Apache-2.0/BSD
-flake8-import-order==0.18.1 # LGPLv3
 python-subunit>=1.0.0 # Apache-2.0/BSD
 testtools>=2.2.0 # MIT
 testresources>=2.0.0 # Apache-2.0/BSD
@@ -16,8 +13,6 @@ stestr>=1.0.0 # Apache-2.0
 reno>=3.1.0 # Apache-2.0
 ddt>=1.0.1 # MIT
 astroid==2.4.0 # LGPLv2.1
-pylint==2.5.3 # GPLv2
 isort==4.3.21 # MIT
 # Needed to run DB commands in virtualenvs
 PyMySQL>=0.7.6 # MIT License
-bashate>=0.5.1 # Apache-2.0
diff --git a/tox.ini b/tox.ini
index f8f9f81e995..3c186b8e657 100644
--- a/tox.ini
+++ b/tox.ini
@@ -17,6 +17,7 @@ deps =
   -c{env:UPPER_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master}
   -r{toxinidir}/requirements.txt
   -r{toxinidir}/test-requirements.txt
+  hacking>=3.0.1,<3.1.0 # Apache-2.0
 whitelist_externals = sh
 commands =
   {toxinidir}/tools/pip_install_src_modules.sh "{toxinidir}"
@@ -96,6 +97,10 @@ commands = sphinx-build -a -E -W -d releasenotes/build/doctrees -b html releasen
 envdir = {toxworkdir}/shared
 deps =
   {[testenv]deps}
+  {[testenv:bashate]deps}
+  {[testenv:bandit]deps}
+  flake8-import-order==0.18.1 # LGPLv3
+  pylint==2.5.3 # GPLv2
 commands=
   # If it is easier to add a check via a shell script, consider adding it in this file
   sh ./tools/misc-sanity-checks.sh
@@ -203,11 +208,15 @@ envdir = {toxworkdir}/shared
 # B303: prohibit list calls: md5, sha1
 # B311: Standard pseudo-random generators are not suitable for security/cryptographic purpose
 # B604: any_other_function_with_shell_equals_true
-deps = -r{toxinidir}/test-requirements.txt
+deps =
+  bandit!=1.6.0,>=1.1.0 # Apache-2.0
+  -r{toxinidir}/test-requirements.txt
 commands = bandit -r neutron -x tests -n5 -s B104,B303,B311,B604
 
 [testenv:bashate]
 envdir = {toxworkdir}/shared
+deps =
+  bashate>=0.5.1 # Apache-2.0
 commands = bash -c "find {toxinidir}             \
          -not \( -type d -name .tox\* -prune \)  \
          -not \( -type d -name .venv\* -prune \) \
@@ -243,6 +252,7 @@ deps =
   -c{toxinidir}/lower-constraints.txt
   -r{toxinidir}/test-requirements.txt
   -r{toxinidir}/requirements.txt
+  hacking>=3.0.1,<3.1.0 # Apache-2.0
 
 [testenv:requirements]
 deps =