diff --git a/.bandit.yml b/.bandit.yml
new file mode 100644
index 0000000..7fcde04
--- /dev/null
+++ b/.bandit.yml
@@ -0,0 +1,2 @@
+skips:
+- B101
diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
new file mode 100644
index 0000000..99fff74
--- /dev/null
+++ b/.github/workflows/checks.yml
@@ -0,0 +1,27 @@
+name: Checks
+on: [push, pull_request]
+
+jobs:
+  checks:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+        - python-version: 3
+          env:
+            TOXENV: security
+
+    steps:
+    - uses: actions/checkout@v2
+
+    - name: Set up Python ${{ matrix.python-version }}
+      uses: actions/setup-python@v2
+      with:
+        python-version: ${{ matrix.python-version }}
+
+    - name: Run check
+      env: ${{ matrix.env }}
+      run: |
+        pip install -U pip
+        pip install -U tox
+        tox
diff --git a/tox.ini b/tox.ini
index 4fb1d7c..eabac24 100644
--- a/tox.ini
+++ b/tox.ini
@@ -1,5 +1,5 @@
 [tox]
-envlist = py
+envlist = security,py
 
 [testenv]
 deps=
@@ -7,3 +7,9 @@ deps=
 
 commands =
     py.test --cov-report term --cov=cssselect
+
+[testenv:security]
+deps =
+    bandit
+commands =
+    bandit -r -c .bandit.yml {posargs:cssselect}