diff --git a/bandit.yaml b/bandit.yaml
index c99c2a11e8..2e7b18718d 100644
--- a/bandit.yaml
+++ b/bandit.yaml
@@ -122,18 +122,19 @@ blacklist_calls:
         # Most of this is based off of Christian Heimes' work on defusedxml:
         #   https://pypi.python.org/pypi/defusedxml/#defusedxml-sax
 
-        - xml_bad_cElementTree:
-            qualnames: [xml.etree.cElementTree.parse,
-                        xml.etree.cElementTree.iterparse,
-                        xml.etree.cElementTree.fromstring,
-                        xml.etree.cElementTree.XMLParser]
-            message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
-        - xml_bad_ElementTree:
-            qualnames: [xml.etree.ElementTree.parse,
-                        xml.etree.ElementTree.iterparse,
-                        xml.etree.ElementTree.fromstring,
-                        xml.etree.ElementTree.XMLParser]
-            message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
+        # TODO(jaegerandi): Enable once defusedxml is in global requirements.
+        #- xml_bad_cElementTree:
+        #    qualnames: [xml.etree.cElementTree.parse,
+        #                xml.etree.cElementTree.iterparse,
+        #                xml.etree.cElementTree.fromstring,
+        #                xml.etree.cElementTree.XMLParser]
+        #    message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
+        #- xml_bad_ElementTree:
+        #    qualnames: [xml.etree.ElementTree.parse,
+        #                xml.etree.ElementTree.iterparse,
+        #                xml.etree.ElementTree.fromstring,
+        #                xml.etree.ElementTree.XMLParser]
+        #    message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
         - xml_bad_expatreader:
             qualnames: [xml.sax.expatreader.create_parser]
             message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
diff --git a/setup.cfg b/setup.cfg
index e0c56ee244..ac2e0cd5c9 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -86,7 +86,3 @@ output_file = glance/locale/glance.pot
 
 [pbr]
 warnerrors = True
-
-[extras]
-bandit =
-  bandit>=0.17.3 # Apache-2.0
diff --git a/test-requirements.txt b/test-requirements.txt
index 7cb80109fd..c9f6c378a1 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -9,6 +9,7 @@ hacking<0.11,>=0.10.0
 Babel>=1.3 # BSD
 
 # Needed for testing
+bandit>=0.17.3  # Apache-2.0
 coverage>=3.6 # Apache-2.0
 fixtures>=1.3.1 # Apache-2.0/BSD
 mox3>=0.7.0 # Apache-2.0
diff --git a/tox.ini b/tox.ini
index 583510a6f9..4569a49576 100644
--- a/tox.ini
+++ b/tox.ini
@@ -30,6 +30,8 @@ commands =
 [testenv:pep8]
 commands =
   flake8 {posargs}
+  # Run security linter
+  bandit -c bandit.yaml -r glance -n5 -p gate
   # Check that .po and .pot files are valid:
   bash -c "find glance -type f -regex '.*\.pot?' -print0|xargs -0 -n 1 msgfmt --check-format -o /dev/null"
 
@@ -57,7 +59,6 @@ commands =
 commands = python setup.py build_sphinx
 
 [testenv:bandit]
-deps = .[bandit]
 commands = bandit -c bandit.yaml -r glance -n5 -p gate
 
 [flake8]