diff --git a/.zuul.yaml b/.zuul.yaml
index 47ced40d..cbdd5923 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -4,10 +4,12 @@
       jobs:
         - openstack-tox-linters
         - stx-tox-pylint
+        - utilities-tox-bandit
     gate:
       jobs:
         - openstack-tox-linters
         - stx-tox-pylint
+        - utilities-tox-bandit
     post:
       jobs:
         - stx-utilities-upload-git-mirror
@@ -35,6 +37,18 @@
         secret: stx-utilities-github-secret
         pass-to-parent: true
 
+- job:
+    name: utilities-tox-bandit
+    parent: tox
+    description: |
+      Run bandit test for utilities
+    nodeset: ubuntu-bionic
+    files:
+      - ./*
+    vars:
+      tox_envlist: bandit
+      tox_extra_args: -c ./ceph/ceph-manager/ceph-manager/tox.ini -c ./ceph/python-cephclient/python-cephclient/tox.ini
+
 - secret:
     name: stx-utilities-github-secret
     data:
diff --git a/ceph/ceph-manager/ceph-manager/tox.ini b/ceph/ceph-manager/ceph-manager/tox.ini
index cad30d50..2d5cd280 100644
--- a/ceph/ceph-manager/ceph-manager/tox.ini
+++ b/ceph/ceph-manager/ceph-manager/tox.ini
@@ -22,3 +22,11 @@ commands =
 
 [flake8]
 exclude = .venv,.git,.tox,dist,doc,etc,*glance/locale*,*lib/python*,*egg,build
+
+[bandit]
+exclude = tests
+
+[testenv:bandit]
+basepython = python3
+deps = -r{toxinidir}/test-requirements.txt
+commands = bandit --ini tox.ini -n 5 -r ceph_manager
diff --git a/ceph/python-cephclient/python-cephclient/tox.ini b/ceph/python-cephclient/python-cephclient/tox.ini
index c948b756..b509c100 100644
--- a/ceph/python-cephclient/python-cephclient/tox.ini
+++ b/ceph/python-cephclient/python-cephclient/tox.ini
@@ -17,3 +17,11 @@ commands =
 
 [flake8]
 exclude = .venv,.git,.tox,dist,doc,*lib/python*,*egg,build
+
+[bandit]
+exclude = tests
+
+[testenv:bandit]
+basepython = python3
+deps = -r{toxinidir}/test-requirements.txt
+commands = bandit --ini tox.ini -n 5 -r cephclient
diff --git a/test-requirements.txt b/test-requirements.txt
index 2b5b92c9..52cd4018 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -1,5 +1,6 @@
 # hacking pulls in flake8
 hacking>=1.1.0,<=2.0.0 # Apache-2.0
+bandit;python_version>="3.0"
 bashate >= 0.2
 isort<5;python_version>="3.0"
 pylint<2.1.0;python_version<"3.0" # GPLv2