diff --git a/.bandit.cfg b/.bandit.cfg
index f2cbd8f30..a82237d94 100644
--- a/.bandit.cfg
+++ b/.bandit.cfg
@@ -1,3 +1,4 @@
 [bandit]
 targets: datanommer.commands,datanommer.consumer,datanommer.models
-exclude: */tests
+# Can't do this now because of https://github.com/PyCQA/bandit/issues/693
+#exclude: .git,.tox,*/tests/*,*/.tox/*
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 3ca6ad924..71c14715a 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -29,7 +29,7 @@ repos:
     hooks:
       - id: python-bandit-vulnerability-check
         alias: bandit
-        args: ["--ini", ".bandit.cfg", "-ll"]
+        args: ["--ini", ".bandit.cfg", "-r", "-ll", "-x", ".git,.tox,*/tests/*,*/.tox/*"]
   # - repo: local
   #   hooks:
   #     - id: bandit-local
diff --git a/datanommer.commands/tox.ini b/datanommer.commands/tox.ini
index ce9975e88..de9dc588c 100644
--- a/datanommer.commands/tox.ini
+++ b/datanommer.commands/tox.ini
@@ -1,5 +1,5 @@
 [tox]
-envlist = py{36,37,38,39},lint
+envlist = py{36,37,38,39},lint,security
 skipsdist = True
 
 [base]
@@ -26,3 +26,10 @@ commands =
     black --check {[base]package}/{posargs}
     isort --check {[base]package}/{posargs}
     flake8 {[base]package}/{posargs}
+
+
+[testenv:security]
+deps =
+    bandit
+commands =
+    bandit -r -ll -x ./.tox,./tests .
diff --git a/datanommer.consumer/tox.ini b/datanommer.consumer/tox.ini
index 5cdde83cc..8d5de94c7 100644
--- a/datanommer.consumer/tox.ini
+++ b/datanommer.consumer/tox.ini
@@ -1,5 +1,5 @@
 [tox]
-envlist = py{36,37,38,39},lint
+envlist = py{36,37,38,39},lint,security
 skipsdist = True
 
 [base]
@@ -25,3 +25,10 @@ commands =
     black --check {[base]package}/{posargs}
     isort --check {[base]package}/{posargs}
     flake8 {[base]package}/{posargs}
+
+
+[testenv:security]
+deps =
+    bandit
+commands =
+    bandit -r -ll -x ./.tox,./tests .
diff --git a/datanommer.models/tox.ini b/datanommer.models/tox.ini
index 4d7c88259..27dafccd1 100644
--- a/datanommer.models/tox.ini
+++ b/datanommer.models/tox.ini
@@ -1,5 +1,5 @@
 [tox]
-envlist = py{36,37,38,39},lint
+envlist = py{36,37,38,39},lint,security
 skipsdist = True
 
 [base]
@@ -23,3 +23,10 @@ commands =
     black --check {[base]package}/{posargs}
     isort --check {[base]package}/{posargs}
     flake8 {[base]package}/{posargs}
+
+
+[testenv:security]
+deps =
+    bandit
+commands =
+    bandit -r -ll -x ./.tox,./tests .