diff --git a/test-requirements.txt b/test-requirements.txt
index e6663379..fc557a75 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -17,3 +17,4 @@ oslotest>=1.10.0 # Apache-2.0
 os-testr>=0.8.0 # Apache-2.0
 testrepository>=0.0.18 # Apache-2.0/BSD
 testtools>=1.4.0 # MIT
+bandit>=1.1.0 # Apache-2.0
diff --git a/tox.ini b/tox.ini
index 9f409501..e0af33f8 100644
--- a/tox.ini
+++ b/tox.ini
@@ -6,7 +6,6 @@ usedevelop = True
 whitelist_externals = bash
                       find
                       rm
-                      env
                       flake8
 setenv = VIRTUAL_ENV={envdir}
          OS_TEST_PATH=./deckhand/tests/unit
@@ -45,6 +44,11 @@ commands =
   python setup.py testr --coverage --testr-args='{posargs}'
   coverage report
 
+[testenv:bandit]
+whitelist_externals = bandit
+commands =
+    bandit -r deckhand -x deckhand/tests -n 5
+
 [testenv:genconfig]
 commands = oslo-config-generator --config-file=etc/deckhand/config-generator.conf