diff --git a/test-requirements.txt b/test-requirements.txt
index e687bf2f4b..7eccfd852c 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -16,7 +16,7 @@ testtools>=2.2.0 # MIT
 testresources>=2.0.0 # Apache-2.0/BSD
 testscenarios>=0.4 # Apache-2.0/BSD
 doc8>=0.6.0 # Apache-2.0
-bandit>=1.1.0 # Apache-2.0
+bandit!=1.6.0,>=1.1.0 # Apache-2.0
 tempest>=17.1.0 # Apache-2.0
 # Required for pep8 - doc8 tests
 sphinx!=1.6.6,!=1.6.7,>=1.6.2,<2.0.0;python_version=='2.7'  # BSD
diff --git a/tox.ini b/tox.ini
index 3b92cb9992..3f8532018b 100644
--- a/tox.ini
+++ b/tox.ini
@@ -78,7 +78,7 @@ commands = flake8
            doc/source octavia  CONSTITUTION.rst HACKING.rst README.rst \
            TESTING.rst
            # Run security linter
-           bandit -r octavia -ll -ii -x 'octavia/tests/*'
+           {[testenv:bandit]commands}
            # Make sure specs follow our template
            find . -type f -name "*.pyc" -delete
            python -m unittest specs-tests.test_titles
@@ -148,7 +148,7 @@ commands =
 
 [testenv:bandit]
 basepython = python3
-commands = bandit -r octavia -ll -ii -x octavia/tests {posargs}
+commands = bandit -r octavia -ll -ii -x tests
 
 [flake8]
 # [H104]: Empty file with only comments