diff --git a/lower-constraints.txt b/lower-constraints.txt
index 0f130f39d..82b98089e 100644
--- a/lower-constraints.txt
+++ b/lower-constraints.txt
@@ -2,6 +2,7 @@ alabaster==0.7.10
appdirs==1.4.3
Babel==2.5.3
bashate==0.5.1
+bandit==1.1.0
beautifulsoup4==4.6.0
certifi==2018.1.18
chardet==3.0.4
diff --git a/test-requirements.txt b/test-requirements.txt
index ffa5319b8..25c8aaaba 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -9,6 +9,7 @@ oslotest>=3.2.0 # Apache-2.0
stestr>=1.0.0 # Apache-2.0
bashate>=0.5.1 # Apache-2.0
flake8-import-order>=0.13 # LGPLv3
+bandit!=1.6.0,>=1.1.0,<2.0.0 # Apache-2.0
# Doc requirements
doc8>=0.6.0 # Apache-2.0
diff --git a/tox.ini b/tox.ini
index 87755c919..954801e18 100644
--- a/tox.ini
+++ b/tox.ini
@@ -114,3 +114,8 @@ deps =
-c{toxinidir}/lower-constraints.txt
-r{toxinidir}/test-requirements.txt
-r{toxinidir}/requirements.txt
+
+[testenv:bandit]
+basepython = python3
+deps = -r{toxinidir}/test-requirements.txt
+commands = bandit -r ironic_python_agent -x tests -n5 -ll
diff --git a/zuul.d/ironic-python-agent-jobs.yaml b/zuul.d/ironic-python-agent-jobs.yaml
index 138563fe5..c4d2169e6 100644
--- a/zuul.d/ironic-python-agent-jobs.yaml
+++ b/zuul.d/ironic-python-agent-jobs.yaml
@@ -142,3 +142,20 @@
s-container: True
s-object: True
s-proxy: True
+
+- job:
+ # Security testing for known issues
+ name: ipa-tox-bandit
+ parent: openstack-tox
+ timeout: 2400
+ vars:
+ tox_envlist: bandit
+ irrelevant-files:
+ - ^test-requirements.txt$
+ - ^.*\.rst$
+ - ^doc/.*$
+ - ^ironic_python_agent/tests/.*$
+ - ^releasenotes/.*$
+ - ^setup.cfg$
+ - ^tools/.*$
+ - ^tox.ini$
diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml
index aa3f1f4aa..9ea3c1d2f 100644
--- a/zuul.d/project.yaml
+++ b/zuul.d/project.yaml
@@ -28,6 +28,8 @@
- openstack-tox-functional:
voting: false
- openstack-tox-lower-constraints
+ - ipa-tox-bandit:
+ voting: false
gate:
queue: ironic
jobs: