diff --git a/test-requirements.txt b/test-requirements.txt
index 5818e4c7..0f0e7b69 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -3,6 +3,7 @@
 # process, which may cause wedges in the gate later.
 
 # Hacking already pins down pep8, pyflakes and flake8
+bandit>=1.1.0 # Apache-2.0
 hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0
 coverage!=4.4,>=4.0 # Apache-2.0
 fixtures>=3.0.0 # Apache-2.0/BSD
diff --git a/tox.ini b/tox.ini
index 3f78e59c..ff9a239d 100644
--- a/tox.ini
+++ b/tox.ini
@@ -17,6 +17,11 @@ commands =
     stestr run --slowest {posargs}
 whitelist_externals = find
 
+[testenv:bandit]
+basepython = python3
+deps = -r{toxinidir}/test-requirements.txt
+commands = bandit -r senlinclient -x tests -n5 -ll
+
 [testenv:pep8]
 basepython = python3
 commands =