diff --git a/test-requirements.txt b/test-requirements.txt
index 552d826..0903d1d 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -14,3 +14,6 @@ sphinx>=1.6.2 # BSD
 reno>=2.5.0 # Apache-2.0
 
 eventlet!=0.18.3,!=0.20.1,<0.21.0,>=0.18.2 # MIT
+
+# Bandit security code scanner
+bandit>=1.1.0 # Apache-2.0
diff --git a/tox.ini b/tox.ini
index 10bcb20..80161ca 100644
--- a/tox.ini
+++ b/tox.ini
@@ -14,7 +14,12 @@ commands =
     env TEST_EVENTLET=1 lockutils-wrapper python setup.py testr --slowest --testr-args='{posargs}'
 
 [testenv:pep8]
-commands = flake8
+deps =
+  -r{toxinidir}/test-requirements.txt
+commands =
+  flake8
+  # Run security linter
+  bandit -r oslo_concurrency -x tests -n5 --skip B311,B404,B603,B606
 
 [testenv:venv]
 commands = {posargs}