diff --git a/cachier/_version.py b/cachier/_version.py
index f66fad61..1a1a1118 100644
--- a/cachier/_version.py
+++ b/cachier/_version.py
@@ -16,7 +16,7 @@
 
 
 def _get_git_sha():
-    sha = os.popen("git rev-parse HEAD").read().strip()
+    sha = os.popen("git rev-parse HEAD").read().strip()  # noqa: S605, S607 todo
     # SHA short
     return sha[:7]
 
diff --git a/cachier/cores/mongo.py b/cachier/cores/mongo.py
index 8f09ebf9..f9b0aa88 100644
--- a/cachier/cores/mongo.py
+++ b/cachier/cores/mongo.py
@@ -61,7 +61,7 @@ def get_entry_by_key(self, key):
         if res:
             try:
                 entry = {
-                    "value": pickle.loads(res["value"]),
+                    "value": pickle.loads(res["value"]),  # noqa: S301
                     "time": res.get("time", None),
                     "stale": res.get("stale", False),
                     "being_calculated": res.get("being_calculated", False),
diff --git a/cachier/cores/pickle.py b/cachier/cores/pickle.py
index cbb68f9a..9e7ef54a 100644
--- a/cachier/cores/pickle.py
+++ b/cachier/cores/pickle.py
@@ -135,7 +135,7 @@ def _reload_cache(self):
             try:
                 with portalocker.Lock(fpath, mode="rb") as cache_file:
                     try:
-                        self.cache = pickle.load(cache_file)
+                        self.cache = pickle.load(cache_file)  # noqa: S301
                     except EOFError:
                         self.cache = {}
             except FileNotFoundError:
@@ -152,7 +152,7 @@ def _get_cache_by_key(self, key=None, hash=None):
         fpath += f"_{key}" if hash is None else f"_{hash}"
         try:
             with portalocker.Lock(fpath, mode="rb") as cache_file:
-                return pickle.load(cache_file)
+                return pickle.load(cache_file)  # noqa: S301
         except (FileNotFoundError, EOFError):
             return None
 
diff --git a/pyproject.toml b/pyproject.toml
index b2edcdd9..e63c2aee 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -43,7 +43,7 @@ select = [
 #    "I", #see: https://pypi.org/project/isort/
 #    "D", # see: https://pypi.org/project/pydocstyle
 #    "N", # see: https://pypi.org/project/pep8-naming
-#    "S", # see: https://pypi.org/project/flake8-bandit
+    "S", # see: https://pypi.org/project/flake8-bandit
     "SIM",
 ]
 ignore = [
@@ -63,6 +63,9 @@ exclude = [
 ignore-init-module-imports = true
 unfixable = ["F401"]
 
+[tool.ruff.per-file-ignores]
+"tests/**" = ["S101", "S311", "S105", "S603"]
+
 #[tool.ruff.pydocstyle]
 ## Use Google-style docstrings.
 #convention = "google"
diff --git a/tests/test_security.py b/tests/test_security.py
index 7b7a9a57..33ebb48c 100644
--- a/tests/test_security.py
+++ b/tests/test_security.py
@@ -2,16 +2,6 @@
 import subprocess
 
 
-@pytest.mark.skip  # todo: dead check, so let's replace it with Ruff
-def test_bandit():
-    """Bandit security scan passes with no warnings or errors."""
-    command = ["bandit"]
-    parameters = ["-r", "cachier"]
-    subprocess.check_call(command + parameters)
-    parameters = ["-s", "B101,B311,B404,B603", "-r", "tests"]
-    subprocess.check_call(command + parameters)
-
-
 @pytest.mark.skip  # todo: dead check, enable it in separate PR w/ pre-commit
 def test_safety():
     """Safety security scan passes with no warnings or errors."""