diff --git a/test-requirements.txt b/test-requirements.txt
index 94279953e4d..1845e028868 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -3,6 +3,7 @@
 # process, which may cause wedges in the gate later.
 hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0
 
+bandit>=1.1.0  # Apache-2.0
 coverage!=4.4,>=4.0 # Apache-2.0
 fixtures>=3.0.0 # Apache-2.0/BSD
 flake8-import-order==0.12 # LGPLv3
diff --git a/tox.ini b/tox.ini
index 7d830173ba0..7298e32fc74 100644
--- a/tox.ini
+++ b/tox.ini
@@ -151,6 +151,10 @@ import-order-style = pep8
 import_exceptions = neutron._i18n
 local-check-factory = neutron.hacking.checks.factory
 
+[testenv:bandit]
+deps = -r{toxinidir}/test-requirements.txt
+commands = bandit -r neutron -x tests -n5
+
 [testenv:bashate]
 commands = bash -c "find {toxinidir}             \
          -not \( -type d -name .tox\* -prune \)  \