diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index c539fabb0..894b69869 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,10 +1,7 @@
 ---
-default_language_version:
-  # force all unspecified python hooks to run python3
-  python: python3
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.1.0
+    rev: v5.0.0
     hooks:
       - id: trailing-whitespace
       - id: mixed-line-ending
@@ -16,17 +13,18 @@ repos:
       - id: check-yaml
         files: .*\.(yaml|yml)$
   - repo: https://github.com/Lucas-C/pre-commit-hooks
-    rev: v1.1.13
+    rev: v1.5.5
     hooks:
       - id: remove-tabs
         exclude: '.*\.(svg)$'
-  - repo: local
+  - repo: https://github.com/PyCQA/bandit
+    rev: 1.8.5
     hooks:
-      - id: flake8
-        name: flake8
-        additional_dependencies:
-          - hacking>=6.1.0,<6.2.0
-        language: python
-        entry: flake8
-        files: '^.*\.py$'
+      - id: bandit
+        exclude: '^novaclient/tests/.*$'
+  - repo: https://opendev.org/openstack/hacking
+    rev: 7.0.0
+    hooks:
+      - id: hacking
+        additional_dependencies: []
         exclude: '^(doc|releasenotes|tools)/.*$'
diff --git a/novaclient/crypto.py b/novaclient/crypto.py
index 527bc82a6..f6d77fa75 100644
--- a/novaclient/crypto.py
+++ b/novaclient/crypto.py
@@ -14,7 +14,7 @@
 #    under the License.
 
 import base64
-import subprocess
+import subprocess  # nosec: B404
 
 
 class DecryptionFailure(Exception):
@@ -30,7 +30,7 @@ def decrypt_password(private_key, password):
     cmd = ['openssl', 'rsautl', '-decrypt', '-inkey', private_key]
     proc = subprocess.Popen(cmd, stdin=subprocess.PIPE,
                             stdout=subprocess.PIPE,
-                            stderr=subprocess.PIPE)
+                            stderr=subprocess.PIPE)  # nosec: B603
     out, err = proc.communicate(unencoded)
     proc.stdin.close()
     if proc.returncode:
diff --git a/novaclient/v2/shell.py b/novaclient/v2/shell.py
index 0ca9e7942..7242dbc13 100644
--- a/novaclient/v2/shell.py
+++ b/novaclient/v2/shell.py
@@ -4208,7 +4208,7 @@ def do_ssh(cs, args):
     cmd = "ssh -%d -p%d %s %s@%s %s" % (version, args.port, identity,
                                         args.login, ip_address, args.extra)
     logger.debug("Executing cmd '%s'", cmd)
-    os.system(cmd)
+    os.system(cmd)  # nosec: B605
 
 
 # NOTE(mriedem): In the 2.50 microversion, the os-quota-class-sets API
diff --git a/releasenotes/notes/remove_api_v_1_1-88b3f18ce1423b46.yaml b/releasenotes/notes/remove_api_v_1_1-88b3f18ce1423b46.yaml
index 5748c5e67..4b32d376b 100644
--- a/releasenotes/notes/remove_api_v_1_1-88b3f18ce1423b46.yaml
+++ b/releasenotes/notes/remove_api_v_1_1-88b3f18ce1423b46.yaml
@@ -2,4 +2,3 @@
 upgrade:
   - remove version 1.1 API support as we only support v2 and v2.1
     API in nova side now.
-    
diff --git a/test-requirements.txt b/test-requirements.txt
index 210af0bfb..45c86fed8 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -1,5 +1,3 @@
-hacking>=6.1.0,<6.2.0  # Apache-2.0
-bandit>=1.1.0 # Apache-2.0
 coverage>=4.4.1 # Apache-2.0
 ddt>=1.0.1 # MIT
 fixtures>=3.0.0 # Apache-2.0/BSD
diff --git a/tools/nova.bash_completion b/tools/nova.bash_completion
index 3c58d3493..bbaee901c 100644
--- a/tools/nova.bash_completion
+++ b/tools/nova.bash_completion
@@ -3,25 +3,25 @@ _nova_flags="" # lazy init
 _nova_opts_exp="" # lazy init
 _nova()
 {
-	local cur prev nbc cflags
-	COMPREPLY=()
-	cur="${COMP_WORDS[COMP_CWORD]}"
-	prev="${COMP_WORDS[COMP_CWORD-1]}"
+    local cur prev nbc cflags
+    COMPREPLY=()
+    cur="${COMP_WORDS[COMP_CWORD]}"
+    prev="${COMP_WORDS[COMP_CWORD-1]}"
 
-	if [ "x$_nova_opts" == "x" ] ; then
-		nbc="`nova bash-completion | sed -e "s/  *-h  */ /" -e "s/  *-i  */ /"`"
-		_nova_opts="`echo "$nbc" | sed -e "s/--[a-z0-9_-]*//g" -e "s/  */ /g"`"
-		_nova_flags="`echo " $nbc" | sed -e "s/ [^-][^-][a-z0-9_-]*//g" -e "s/  */ /g"`"
-		_nova_opts_exp="`echo "$_nova_opts" | tr ' ' '|'`"
-	fi
+    if [ "x$_nova_opts" == "x" ] ; then
+        nbc="`nova bash-completion | sed -e "s/  *-h  */ /" -e "s/  *-i  */ /"`"
+        _nova_opts="`echo "$nbc" | sed -e "s/--[a-z0-9_-]*//g" -e "s/  */ /g"`"
+        _nova_flags="`echo " $nbc" | sed -e "s/ [^-][^-][a-z0-9_-]*//g" -e "s/  */ /g"`"
+        _nova_opts_exp="`echo "$_nova_opts" | tr ' ' '|'`"
+    fi
 
-	if [[ " ${COMP_WORDS[@]} " =~ " "($_nova_opts_exp)" " && "$prev" != "help" ]] ; then
-		COMPLETION_CACHE=~/.novaclient/*/*-cache
-		cflags="$_nova_flags "$(cat $COMPLETION_CACHE 2> /dev/null | tr '\n' ' ')
-		COMPREPLY=($(compgen -W "${cflags}" -- ${cur}))
-	else
-		COMPREPLY=($(compgen -W "${_nova_opts}" -- ${cur}))
-	fi
-	return 0
+    if [[ " ${COMP_WORDS[@]} " =~ " "($_nova_opts_exp)" " && "$prev" != "help" ]] ; then
+        COMPLETION_CACHE=~/.novaclient/*/*-cache
+        cflags="$_nova_flags "$(cat $COMPLETION_CACHE 2> /dev/null | tr '\n' ' ')
+        COMPREPLY=($(compgen -W "${cflags}" -- ${cur}))
+    else
+        COMPREPLY=($(compgen -W "${_nova_opts}" -- ${cur}))
+    fi
+    return 0
 }
 complete -F _nova nova
diff --git a/tox.ini b/tox.ini
index 87ff7cba7..0401d37ff 100644
--- a/tox.ini
+++ b/tox.ini
@@ -1,12 +1,11 @@
 [tox]
 envlist = py3,pep8,docs
-minversion = 3.18.0
-ignore_basepython_conflict = true
+minversion = 4.6.0
 
 [testenv]
-basepython = python3
+description =
+  Run unit tests.
 usedevelop = true
-# tox is silly... these need to be separated by a newline....
 allowlist_externals =
   find
   rm
@@ -23,10 +22,20 @@ commands =
   stestr run {posargs}
 
 [testenv:pep8]
-commands = flake8 {posargs}
+description =
+  Run style checks.
+deps =
+  pre-commit
+commands =
+  pre-commit run --all-files --show-diff-on-failure
 
 [testenv:bandit]
-commands = bandit -r novaclient -n5 -x tests
+description =
+  Run security checks.
+deps =
+  pre-commit
+commands =
+  pre-commit run --all-files --show-diff-on-failure bandit
 
 [testenv:venv]
 deps =
@@ -37,6 +46,8 @@ deps =
 commands = {posargs}
 
 [testenv:docs]
+description =
+  Build documentation in HTML format.
 deps =
   -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master}
   -r{toxinidir}/doc/requirements.txt
@@ -47,6 +58,8 @@ commands =
   whereto doc/build/html/.htaccess doc/test/redirect-tests.txt
 
 [testenv:pdf-docs]
+description =
+  Build documentation in PDF format.
 deps = {[testenv:docs]deps}
 commands =
   rm -rf doc/build/pdf
@@ -54,6 +67,8 @@ commands =
   make -C doc/build/pdf
 
 [testenv:releasenotes]
+description =
+  Build release notes.
 deps =
   -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master}
   -r{toxinidir}/doc/requirements.txt
@@ -61,12 +76,17 @@ commands =
   sphinx-build -a -E -W -d releasenotes/build/doctrees -b html releasenotes/source releasenotes/build/html
 
 [testenv:functional{,-py39,-py310,-py311,-py312}]
-passenv = OS_*
+description =
+  Run functional tests.
+passenv =
+  OS_*
 commands =
   stestr --test-path=./novaclient/tests/functional run --concurrency=1 {posargs}
   python novaclient/tests/functional/hooks/check_resources.py
 
 [testenv:cover]
+description =
+  Run unit tests and print coverage information.
 setenv =
   PYTHON=coverage run --source novaclient --parallel-mode
 commands =
@@ -93,11 +113,12 @@ exclude=.venv,.git,.tox,dist,*lib/python*,*egg,build,doc/source/conf.py,releasen
 import_exceptions = novaclient.i18n
 
 [testenv:bindep]
+description =
+  Check for installed binary dependencies.
 # Do not install any requirements. We want this to be fast and work even if
 # system dependencies are missing, since it's used to tell you what system
 # dependencies are missing! This also means that bindep must be installed
 # separately, outside of the requirements files.
 deps = bindep
-skipsdist=True
-usedevelop=False
+skip_install = true
 commands = bindep test