diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 23954be7..16d5183f 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -46,3 +46,9 @@ repos:
           - flake8-comprehensions==3.10.0
           - flake8-debugger==4.1.2
           - flake8-string-format==0.3.0
+  - repo: https://github.com/pycqa/bandit
+    rev: 1.7.4
+    hooks:
+      - id: bandit
+        args: [-c, pyproject.toml]
+        additional_dependencies: ["toml"]
diff --git a/pyproject.toml b/pyproject.toml
index 6acac7bd..540f1e5b 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -94,3 +94,7 @@ enable = ["c-extension-no-member", "no-else-return"]
 [tool.pylint.variables]
 dummy-variables-rgx = "_+$|(_[a-zA-Z0-9_]*[a-zA-Z0-9]+?$)|dummy|^ignored_|^unused_"
 ignored-argument-names = "_.*|^ignored_|^unused_|args|kwargs"
+
+[tool.bandit]
+exclude_dirs = ["tests"]
+skips = ["B101"]
diff --git a/src/scmrepo/git/backend/dulwich/credentials.py b/src/scmrepo/git/backend/dulwich/credentials.py
index 6fd636a6..16873e8e 100644
--- a/src/scmrepo/git/backend/dulwich/credentials.py
+++ b/src/scmrepo/git/backend/dulwich/credentials.py
@@ -29,7 +29,7 @@
 import os
 import shlex
 import shutil
-import subprocess
+import subprocess  # nosec B404
 import sys
 from typing import Any, Dict, Iterator, List, Optional, Tuple, Union
 from urllib.parse import ParseResult, urlparse
@@ -142,7 +142,7 @@ def _prepare_command(self) -> Union[str, List[str]]:
         if not shutil.which(executable) and shutil.which("git"):
             # If the helper cannot be found in PATH, it might be
             # a C git helper in GIT_EXEC_PATH
-            git_exec_path = subprocess.check_output(
+            git_exec_path = subprocess.check_output(  # nosec B603
                 ("git", "--exec-path"),
                 universal_newlines=True,
             ).strip()
@@ -181,7 +181,7 @@ def get(
         helper_input.append("")
 
         try:
-            res = subprocess.run(  # type: ignore # breaks on 3.6
+            res = subprocess.run(  # type: ignore # nosec B603 # breaks on 3.6
                 cmd,
                 check=True,
                 stdout=subprocess.PIPE,
diff --git a/src/scmrepo/git/backend/pygit2.py b/src/scmrepo/git/backend/pygit2.py
index 1cef2c9c..2861554c 100644
--- a/src/scmrepo/git/backend/pygit2.py
+++ b/src/scmrepo/git/backend/pygit2.py
@@ -147,7 +147,7 @@ def _get_codespaces_signature(self) -> Optional["Signature"]:
             email = first(config.get_multivar("user.email"))
             if name and email:
                 return Signature(name, email)
-        except Exception:  # pylint: disable=broad-except
+        except Exception:  # nosec B110, pylint: disable=broad-except
             pass
         return None