diff --git a/.gitattributes b/.gitattributes
index b85284d7..f4fcbaa5 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -5,6 +5,7 @@
 /.gitattributes linguist-generated
 /.github/pull_request_template.md linguist-generated
 /.github/workflows/auto-approve.yml linguist-generated
+/.github/workflows/bandit.yml linguist-generated
 /.github/workflows/build.yml linguist-generated
 /.github/workflows/github-merit-badger.yml linguist-generated
 /.github/workflows/monthly-repo-metrics.yml linguist-generated
diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml
new file mode 100644
index 00000000..ea3d2efc
--- /dev/null
+++ b/.github/workflows/bandit.yml
@@ -0,0 +1,33 @@
+# ~~ Generated by projen. To modify, edit .projenrc.ts and run "npx projen".
+
+name: bandit
+on:
+  pull_request: {}
+  workflow_dispatch: {}
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: 20 17 * * *
+jobs:
+  bandit:
+    name: bandit/ci
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+      security-events: write
+      actions: read
+    if: (github.actor != 'dependabot[bot]')
+    steps:
+      - name: Checkout project
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+      - name: Setup Python
+        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236
+      - name: Run Bandit
+        run: bandit --recursive --format html --output bandit-report.html .
+      - name: Store Bandit as Artifact
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
+        with:
+          name: bandit-report.html
+          path: bandit-report.html
diff --git a/.gitignore b/.gitignore
index 028e6559..f0218b86 100644
--- a/.gitignore
+++ b/.gitignore
@@ -62,3 +62,4 @@ tsconfig.json
 !/.github/workflows/auto-approve.yml
 !/.github/workflows/ort-toolkit.yml
 !/.github/workflows/semgrep.yml
+!/.github/workflows/bandit.yml
diff --git a/.projen/files.json b/.projen/files.json
index b0b199bd..2a2005fc 100644
--- a/.projen/files.json
+++ b/.projen/files.json
@@ -4,6 +4,7 @@
     ".gitattributes",
     ".github/pull_request_template.md",
     ".github/workflows/auto-approve.yml",
+    ".github/workflows/bandit.yml",
     ".github/workflows/build.yml",
     ".github/workflows/github-merit-badger.yml",
     ".github/workflows/monthly-repo-metrics.yml",
diff --git a/.projenrc.ts b/.projenrc.ts
index 30802a69..0946d741 100644
--- a/.projenrc.ts
+++ b/.projenrc.ts
@@ -19,6 +19,7 @@ import {
   buildAutoApproveWorkflow,
   buildOrtToolkitWorkflow,
   runSemGrepWorkflow,
+  runBanditWorkflow,
 } from './projenrc/github-workflows';
 
 // Constants
@@ -94,6 +95,7 @@ buildUpdateContributorsWorkflow(project);
 buildAutoApproveWorkflow(project);
 buildOrtToolkitWorkflow(project);
 runSemGrepWorkflow(project);
+runBanditWorkflow(project);
 
 // Add specific overrides https://projen.io/github.html#actions-versions
 project.github?.actions.set("actions/checkout@v3", "actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744");
diff --git a/projenrc/github-workflows.ts b/projenrc/github-workflows.ts
index f0250f33..f74e35c7 100644
--- a/projenrc/github-workflows.ts
+++ b/projenrc/github-workflows.ts
@@ -346,3 +346,79 @@ export function runSemGrepWorkflow(project: AwsCdkConstructLibrary) {
     }
   }
 }
+
+/**
+ * https://github.com/mdegis/bandit-action
+ * Runs Bandit on the repository.
+ * @param project AwsCdkConstructLibrary
+ */
+export function runBanditWorkflow(project: AwsCdkConstructLibrary) {
+  const bandit: Job = {
+    name: 'bandit/ci',
+    runsOn: ['ubuntu-latest'],
+    // container: {
+    //   image: 'returntocorp/semgrep',
+    // },
+    permissions: {
+      contents: JobPermission.READ,
+      pullRequests: JobPermission.READ,
+      securityEvents: JobPermission.WRITE,
+      actions: JobPermission.READ,
+    },
+    if: "(github.actor != 'dependabot[bot]')",
+
+    steps: [
+      {
+        name: 'Checkout project',
+        uses: 'actions/checkout@v3',
+      },
+      {
+        name: 'Setup Python',
+        uses: 'actions/setup-python@v4',
+      },
+      {
+        name: 'Run Bandit',
+        run: 'bandit --recursive --format html --output bandit-report.html .',
+      },
+      {
+        name: 'Store Bandit as Artifact',
+        uses: 'actions/upload-artifact@v3',
+        with: {
+          name: 'bandit-report.html',
+          path: 'bandit-report.html',
+        },
+      },
+      // `awslabs` has the Advanced Security disabled.
+      // {
+      //   name: 'Upload SARIF file for GitHub Advanced Security Dashboard',
+      //   uses: 'github/codeql-action/upload-sarif@v2',
+      //   with: {
+      //     sarif_file: 'semgrep.sarif',
+      //   },
+      //   if: 'always()',
+      // },
+    ],
+  };
+
+  if (project.github) {
+    const workflow = project.github.addWorkflow('bandit');
+    if (workflow) {
+      workflow.on({
+        pullRequest: {},
+        workflowDispatch: {
+        },
+        push: {
+          branches: [
+            'main',
+          ],
+        },
+        schedule: [
+          { cron: '20 17 * * *' },
+        ],
+      });
+      workflow.addJobs({
+        bandit: bandit,
+      });
+    }
+  }
+}