diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
index 2b53edd..9b7862c 100644
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -24,7 +24,7 @@ jobs:
     - uses: actions/checkout@v2
     - uses: actions/setup-python@v2
       with:
-        python-version: '3.8'
+        python-version: '3.7'
     - name: Install prerequisites
       run: python -m pip install --upgrade setuptools pip wheel tox
     - name: Run ${{ matrix.env }}
diff --git a/pyproject.toml b/pyproject.toml
index b21138f..ef4487a 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,13 +1,5 @@
 [tool.bandit]
-exclude = [
-    ".git",
-    ".idea",
-    ".tox",
-    "build",
-    "dist",
-    "docs",
-    "tests",
-]
+# Exclude/ignore of files is currently broken in Bandit.
 
 [tool.black]
 color = true
diff --git a/tox.ini b/tox.ini
index 3327d01..a5d0173 100644
--- a/tox.ini
+++ b/tox.ini
@@ -31,8 +31,8 @@ commands =
 
 [testenv:bandit]
 description = PyCQA security linter
-deps = bandit
-commands = bandit {posargs:-r behave_django setup}
+deps = bandit<1.6
+commands = bandit --ini tox.ini {posargs:-r .}
 
 [testenv:black]
 description = Ensure consistent code style
@@ -85,6 +85,9 @@ paths = tests/acceptance
         tests/test_app
 show_skipped = no
 
+[bandit]
+exclude = .git,.github,.tox,py2clean.py,py3clean.py,pypyclean.py,tests
+
 [flake8]
 exclude = docs,.cache,.tox,*.egg-info,.ropeproject