diff --git a/playbooks/osh-infra-bandit.yaml b/playbooks/osh-infra-bandit.yaml
new file mode 100644
index 000000000..754ecda19
--- /dev/null
+++ b/playbooks/osh-infra-bandit.yaml
@@ -0,0 +1,28 @@
+- hosts: all
+  name: openstack-helm-infra-bandit
+  tasks:
+
+    - name: Install Required Packages and Setup Host
+      shell: |
+        set -xe;
+        ./tools/deployment/common/000-install-packages.sh
+        ./tools/deployment/common/005-deploy-k8s.sh
+        sudo -H pip install yq bandit
+      environment:
+        zuul_site_mirror_fqdn: "{{ zuul_site_mirror_fqdn }}"
+      args:
+        chdir: "{{ zuul.project.src_dir }}"
+
+    - name: Template out python files
+      shell: |
+        set -xe;
+        make all
+        mkdir -p python-files
+        ./tools/gate/template-python.sh
+      args:
+        chdir: "{{ zuul.project.src_dir }}"
+
+    - name: Run bandit against python files
+      shell: bandit -r ./python-files
+      args:
+        chdir: "{{ zuul.project.src_dir }}"
diff --git a/tools/gate/template-python.sh b/tools/gate/template-python.sh
new file mode 100755
index 000000000..19ef3a932
--- /dev/null
+++ b/tools/gate/template-python.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+EXCLUDES="helm-toolkit doc tests tools logs tmp roles playbooks releasenotes zuul.d python-files"
+DIRS=`ls -d */ | cut -f1 -d'/'`
+
+for EX in $EXCLUDES; do
+  DIRS=`echo $DIRS | sed "s/\b$EX\b//g"`
+done
+
+for DIR in $DIRS; do
+  PYFILES=$(helm template $DIR | yq 'select(.data != null) | .data | to_entries | map(select(.key | test(".*\\.py"))) | select(length > 0) | values[] | {(.key) : (.value)}' | jq -s add)
+  PYKEYS=$(echo "$PYFILES" | jq -r 'select(. != null) | keys[]')
+  for KEY in $PYKEYS; do
+    echo "$PYFILES" | jq -r --arg KEY "$KEY" '.[$KEY]' > ./python-files/"$DIR-$KEY"
+  done
+done
diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml
index 324503521..8385a59e8 100644
--- a/zuul.d/jobs.yaml
+++ b/zuul.d/jobs.yaml
@@ -30,6 +30,16 @@
     run: playbooks/zuul-linter.yaml
     nodeset: openstack-helm-single-node
 
+- job:
+    name: openstack-helm-infra-bandit
+    run: playbooks/osh-infra-bandit.yaml
+    nodeset: openstack-helm-single-node
+# Note(gagehugo): Uncomment this once it passes so that it only runs
+# when python related files are changed.
+#    files:
+#      - ^.*\.py\.tpl$
+#      - ^.*\.py$
+
 - job:
     name: openstack-helm-infra
     parent: openstack-helm-infra-functional
diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml
index a741a4550..ec3e29410 100644
--- a/zuul.d/project.yaml
+++ b/zuul.d/project.yaml
@@ -19,6 +19,8 @@
     check:
       jobs:
         - openstack-helm-lint
+        - openstack-helm-infra-bandit:
+            voting: false
         - openstack-helm-infra-aio-logging
         - openstack-helm-infra-aio-monitoring
         - openstack-helm-infra-federated-monitoring: