diff --git a/contrib/packs/tests/test_action_download.py b/contrib/packs/tests/test_action_download.py
index 0961ff17a2..93c6eb3f73 100644
--- a/contrib/packs/tests/test_action_download.py
+++ b/contrib/packs/tests/test_action_download.py
@@ -20,6 +20,10 @@
 import shutil
 import tempfile
 import hashlib
+import sys
+
+# TODO: Move keywords directly to hashlib.md5 call as part of dropping py3.8.
+hashlib_kwargs = {} if sys.version_info[0:2] < (3, 9) else {"usedforsecurity": False}
 
 from st2common.util.monkey_patch import use_select_poll_workaround
 
@@ -154,7 +158,9 @@ def tearDown(self):
     def test_run_pack_download(self):
         action = self.get_action_instance()
         result = action.run(packs=["test"], abs_repo_base=self.repo_base)
-        temp_dir = hashlib.md5(PACK_INDEX["test"]["repo_url"].encode()).hexdigest()
+        temp_dir = hashlib.md5(
+            PACK_INDEX["test"]["repo_url"].encode(), **hashlib_kwargs
+        ).hexdigest()
 
         self.assertEqual(result, {"test": "Success."})
         self.clone_from.assert_called_once_with(
@@ -175,8 +181,12 @@ def test_run_pack_download_dependencies(self):
             abs_repo_base=self.repo_base,
         )
         temp_dirs = [
-            hashlib.md5(PACK_INDEX["test2"]["repo_url"].encode()).hexdigest(),
-            hashlib.md5(PACK_INDEX["test4"]["repo_url"].encode()).hexdigest(),
+            hashlib.md5(
+                PACK_INDEX["test2"]["repo_url"].encode(), **hashlib_kwargs
+            ).hexdigest(),
+            hashlib.md5(
+                PACK_INDEX["test4"]["repo_url"].encode(), **hashlib_kwargs
+            ).hexdigest(),
         ]
 
         self.assertEqual(result, {"test2": "Success.", "test4": "Success."})
@@ -205,8 +215,12 @@ def test_run_pack_download_multiple_packs(self):
         action = self.get_action_instance()
         result = action.run(packs=["test", "test2"], abs_repo_base=self.repo_base)
         temp_dirs = [
-            hashlib.md5(PACK_INDEX["test"]["repo_url"].encode()).hexdigest(),
-            hashlib.md5(PACK_INDEX["test2"]["repo_url"].encode()).hexdigest(),
+            hashlib.md5(
+                PACK_INDEX["test"]["repo_url"].encode(), **hashlib_kwargs
+            ).hexdigest(),
+            hashlib.md5(
+                PACK_INDEX["test2"]["repo_url"].encode(), **hashlib_kwargs
+            ).hexdigest(),
         ]
 
         self.assertEqual(result, {"test": "Success.", "test2": "Success."})
@@ -243,7 +257,9 @@ def test_run_pack_download_no_tag(self):
 
     def test_run_pack_lock_is_already_acquired(self):
         action = self.get_action_instance()
-        temp_dir = hashlib.md5(PACK_INDEX["test"]["repo_url"].encode()).hexdigest()
+        temp_dir = hashlib.md5(
+            PACK_INDEX["test"]["repo_url"].encode(), **hashlib_kwargs
+        ).hexdigest()
 
         original_acquire = LockFile.acquire
 
@@ -274,7 +290,9 @@ def mock_acquire(self, timeout=None):
     def test_run_pack_lock_is_already_acquired_force_flag(self):
         # Lock is already acquired but force is true so it should be deleted and released
         action = self.get_action_instance()
-        temp_dir = hashlib.md5(PACK_INDEX["test"]["repo_url"].encode()).hexdigest()
+        temp_dir = hashlib.md5(
+            PACK_INDEX["test"]["repo_url"].encode(), **hashlib_kwargs
+        ).hexdigest()
 
         original_acquire = LockFile.acquire
 
@@ -682,7 +700,9 @@ def test_run_pack_download_local_directory(self):
     def test_run_pack_download_with_tag(self):
         action = self.get_action_instance()
         result = action.run(packs=["test"], abs_repo_base=self.repo_base)
-        temp_dir = hashlib.md5(PACK_INDEX["test"]["repo_url"].encode()).hexdigest()
+        temp_dir = hashlib.md5(
+            PACK_INDEX["test"]["repo_url"].encode(), **hashlib_kwargs
+        ).hexdigest()
 
         self.assertEqual(result, {"test": "Success."})
         self.clone_from.assert_called_once_with(
diff --git a/st2common/st2common/models/db/trace.py b/st2common/st2common/models/db/trace.py
index fe358e90c9..ea3b7c61db 100644
--- a/st2common/st2common/models/db/trace.py
+++ b/st2common/st2common/models/db/trace.py
@@ -15,6 +15,10 @@
 
 from __future__ import absolute_import
 import hashlib
+import sys
+
+# TODO: Move keywords directly to hashlib.md5 call as part of dropping py3.8.
+hashlib_kwargs = {} if sys.version_info[0:2] < (3, 9) else {"usedforsecurity": False}
 
 import mongoengine as me
 
@@ -107,7 +111,7 @@ def get_uid(self):
         parts = []
         parts.append(self.RESOURCE_TYPE)
 
-        components_hash = hashlib.md5()
+        components_hash = hashlib.md5(**hashlib_kwargs)
         components_hash.update(str(self.trace_tag).encode())
         components_hash.update(str(self.trigger_instances).encode())
         components_hash.update(str(self.rules).encode())
diff --git a/st2common/st2common/models/db/trigger.py b/st2common/st2common/models/db/trigger.py
index a6ef53c313..076886f042 100644
--- a/st2common/st2common/models/db/trigger.py
+++ b/st2common/st2common/models/db/trigger.py
@@ -17,6 +17,10 @@
 
 import json
 import hashlib
+import sys
+
+# TODO: Move keywords directly to hashlib.md5 call as part of dropping py3.8.
+hashlib_kwargs = {} if sys.version_info[0:2] < (3, 9) else {"usedforsecurity": False}
 
 import mongoengine as me
 
@@ -116,7 +120,7 @@ def get_uid(self):
         # compatibility reasons.
         parameters = getattr(self, "parameters", {})
         parameters = json.dumps(parameters, sort_keys=True)
-        parameters = hashlib.md5(parameters.encode()).hexdigest()
+        parameters = hashlib.md5(parameters.encode(), **hashlib_kwargs).hexdigest()
 
         uid = uid + self.UID_SEPARATOR + parameters
         return uid
diff --git a/st2common/st2common/util/crypto.py b/st2common/st2common/util/crypto.py
index 0aea24763c..65e0c447b8 100644
--- a/st2common/st2common/util/crypto.py
+++ b/st2common/st2common/util/crypto.py
@@ -39,6 +39,10 @@
 import base64
 
 from hashlib import sha1
+import sys
+
+# TODO: Move keywords directly to sha1 call as part of dropping py3.8.
+hashlib_kwargs = {} if sys.version_info[0:2] < (3, 9) else {"usedforsecurity": False}
 
 import six
 
@@ -70,7 +74,11 @@
 # Keyczar related constants
 KEYCZAR_HEADER_SIZE = 5
 KEYCZAR_AES_BLOCK_SIZE = 16
-KEYCZAR_HLEN = sha1().digest_size
+# usedforsecurity: False used here because KEYCZAR is deprecated
+# inherently insecure and will need to be removed from the code base when
+# the cryptography implementation is revised.  This is just to keep
+# bandit happy.
+KEYCZAR_HLEN = sha1(**hashlib_kwargs).digest_size
 
 # Minimum key size which can be used for symmetric crypto
 MINIMUM_AES_KEY_SIZE = 128
diff --git a/st2common/st2common/util/pack_management.py b/st2common/st2common/util/pack_management.py
index c9576f6fcc..973394957d 100644
--- a/st2common/st2common/util/pack_management.py
+++ b/st2common/st2common/util/pack_management.py
@@ -25,6 +25,10 @@
 import hashlib
 import stat
 import re
+import sys
+
+# TODO: Move keywords directly to hashlib.md5 call as part of dropping py3.8.
+hashlib_kwargs = {} if sys.version_info[0:2] < (3, 9) else {"usedforsecurity": False}
 
 # This test workaround needs to be used before importing git
 from st2common.util.monkey_patch import use_select_poll_workaround
@@ -113,7 +117,7 @@ def download_pack(
 
     result = [pack_url, None, None]
 
-    temp_dir_name = hashlib.md5(pack_url.encode()).hexdigest()
+    temp_dir_name = hashlib.md5(pack_url.encode(), **hashlib_kwargs).hexdigest()
     lock_file = LockFile("/tmp/%s" % (temp_dir_name))
     lock_file_path = lock_file.lock_file