diff --git a/.gitattributes b/.gitattributes
index b85284d7..f4fcbaa5 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -5,6 +5,7 @@
 /.gitattributes linguist-generated
 /.github/pull_request_template.md linguist-generated
 /.github/workflows/auto-approve.yml linguist-generated
+/.github/workflows/bandit.yml linguist-generated
 /.github/workflows/build.yml linguist-generated
 /.github/workflows/github-merit-badger.yml linguist-generated
 /.github/workflows/monthly-repo-metrics.yml linguist-generated
diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml
new file mode 100644
index 00000000..860a4fbc
--- /dev/null
+++ b/.github/workflows/bandit.yml
@@ -0,0 +1,36 @@
+# ~~ Generated by projen. To modify, edit .projenrc.ts and run "npx projen".
+
+name: bandit
+on:
+  pull_request: {}
+  workflow_dispatch: {}
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: 20 17 * * *
+jobs:
+  bandit:
+    name: bandit/ci
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+      security-events: write
+      actions: read
+    if: (github.actor != 'dependabot[bot]')
+    steps:
+      - name: Checkout project
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+      - name: Setup Python
+        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236
+        run: python -m pip install bandit
+        with:
+          python-version: 3.x
+      - name: Run Bandit
+        run: bandit --recursive --format html --output bandit-report.html .
+      - name: Store Bandit as Artifact
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
+        with:
+          name: bandit-report.html
+          path: bandit-report.html
diff --git a/.gitignore b/.gitignore
index 028e6559..f0218b86 100644
--- a/.gitignore
+++ b/.gitignore
@@ -62,3 +62,4 @@ tsconfig.json
 !/.github/workflows/auto-approve.yml
 !/.github/workflows/ort-toolkit.yml
 !/.github/workflows/semgrep.yml
+!/.github/workflows/bandit.yml
diff --git a/.projen/files.json b/.projen/files.json
index b0b199bd..2a2005fc 100644
--- a/.projen/files.json
+++ b/.projen/files.json
@@ -4,6 +4,7 @@
     ".gitattributes",
     ".github/pull_request_template.md",
     ".github/workflows/auto-approve.yml",
+    ".github/workflows/bandit.yml",
     ".github/workflows/build.yml",
     ".github/workflows/github-merit-badger.yml",
     ".github/workflows/monthly-repo-metrics.yml",
diff --git a/.projenrc.ts b/.projenrc.ts
index b03e6b88..61a5a300 100644
--- a/.projenrc.ts
+++ b/.projenrc.ts
@@ -19,6 +19,7 @@ import {
   buildAutoApproveWorkflow,
   buildOrtToolkitWorkflow,
   runSemGrepWorkflow,
+  runBanditWorkflow,
 } from './projenrc/github-workflows';
 
 // Constants
@@ -94,6 +95,27 @@ buildUpdateContributorsWorkflow(project);
 buildAutoApproveWorkflow(project);
 buildOrtToolkitWorkflow(project);
 runSemGrepWorkflow(project);
+runBanditWorkflow(project);
+
+// Add specific overrides https://projen.io/github.html#actions-versions
+project.github?.actions.set('actions/checkout@v3', 'actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744');
+project.github?.actions.set('actions/download-artifact@v3', 'actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a');
+project.github?.actions.set('actions/github-script@v6', 'actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410');
+project.github?.actions.set('actions/setup-node@v3', 'actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7');
+project.github?.actions.set('actions/setup-python@v4', 'actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236');
+project.github?.actions.set('actions/stale@v4', 'actions/stale@a20b814fb01b71def3bd6f56e7494d667ddf28da');
+project.github?.actions.set('actions/upload-artifact@v3', 'actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32');
+project.github?.actions.set('amannn/action-semantic-pull-request@v5.0.2', 'amannn/action-semantic-pull-request@01d5fd8a8ebb9aafe902c40c53f0f4744f7381eb');
+project.github?.actions.set('aws-github-ops/github-merit-badger@main', 'aws-github-ops/github-merit-badger@70d1c47f7051d6e324d4ddc48d676ba61ef69a3e');
+project.github?.actions.set('codecov/codecov-action@v3', 'codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d');
+project.github?.actions.set('github/issue-metrics@v2', 'github/issue-metrics@6bc5254e72971dbb7462db077779f1643f772afd');
+project.github?.actions.set('hmarr/auto-approve-action@v3.2.1', 'hmarr/auto-approve-action@44888193675f29a83e04faf4002fa8c0b537b1e4');
+project.github?.actions.set('minicli/action-contributors@v3.3', 'minicli/action-contributors@20ec03af008cb51110a3137fbf77f59a4fd7ff5a');
+project.github?.actions.set('oss-review-toolkit/ort-ci-github-action@v1', 'oss-review-toolkit/ort-ci-github-action@7f23c1f8d169dad430e41df223d3b8409c7a156e');
+project.github?.actions.set('peter-evans/create-issue-from-file@v4', 'peter-evans/create-issue-from-file@433e51abf769039ee20ba1293a088ca19d573b7f');
+project.github?.actions.set('peter-evans/create-pull-request@v4', 'peter-evans/create-pull-request@38e0b6e68b4c852a5500a94740f0e535e0d7ba54');
+project.github?.actions.set('peter-evans/create-pull-request@v5', 'peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38');
+
 
 // Add specific overrides https://projen.io/github.html#actions-versions
 project.github?.actions.set('actions/checkout@v3', 'actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744');
diff --git a/projenrc/github-workflows.ts b/projenrc/github-workflows.ts
index 0e6aea51..da2b258c 100644
--- a/projenrc/github-workflows.ts
+++ b/projenrc/github-workflows.ts
@@ -350,3 +350,83 @@ export function runSemGrepWorkflow(project: AwsCdkConstructLibrary) {
     }
   }
 }
+
+/**
+ * https://github.com/mdegis/bandit-action
+ * Runs Bandit on the repository.
+ * @param project AwsCdkConstructLibrary
+ */
+export function runBanditWorkflow(project: AwsCdkConstructLibrary) {
+  const bandit: Job = {
+    name: 'bandit/ci',
+    runsOn: ['ubuntu-latest'],
+    // container: {
+    //   image: 'returntocorp/semgrep',
+    // },
+    permissions: {
+      contents: JobPermission.READ,
+      pullRequests: JobPermission.READ,
+      securityEvents: JobPermission.WRITE,
+      actions: JobPermission.READ,
+    },
+    if: "(github.actor != 'dependabot[bot]')",
+
+    steps: [
+      {
+        name: 'Checkout project',
+        uses: 'actions/checkout@v3',
+      },
+      {
+        name: 'Setup Python',
+        uses: 'actions/setup-python@v4',
+        with: {
+          'python-version': '3.x',
+        },
+        run: 'python -m pip install bandit',
+      },
+      {
+        name: 'Run Bandit',
+        run: 'bandit --recursive --format html --output bandit-report.html .',
+      },
+      {
+        name: 'Store Bandit as Artifact',
+        uses: 'actions/upload-artifact@v3',
+        with: {
+          name: 'bandit-report.html',
+          path: 'bandit-report.html',
+        },
+      },
+      // `awslabs` has the Advanced Security disabled.
+      // {
+      //   name: 'Upload SARIF file for GitHub Advanced Security Dashboard',
+      //   uses: 'github/codeql-action/upload-sarif@v2',
+      //   with: {
+      //     sarif_file: 'semgrep.sarif',
+      //   },
+      //   if: 'always()',
+      // },
+    ],
+  };
+
+  if (project.github) {
+    const workflow = project.github.addWorkflow('bandit');
+    if (workflow) {
+      workflow.on({
+        pullRequest: {},
+        workflowDispatch: {
+        },
+        push: {
+          branches: [
+            'main',
+          ],
+        },
+        schedule: [
+          { cron: '20 17 * * *' },
+        ],
+      });
+      workflow.addJobs({
+        bandit: bandit,
+      });
+    }
+  }
+}