diff --git a/modules/gerritbot/files/gerritbot_channel_config.yaml b/modules/gerritbot/files/gerritbot_channel_config.yaml
index 4eafa73aee..3cbe2c1fd0 100644
--- a/modules/gerritbot/files/gerritbot_channel_config.yaml
+++ b/modules/gerritbot/files/gerritbot_channel_config.yaml
@@ -868,6 +868,7 @@ openstack-security:
       - x-vrif-minus-2
     projects:
       - openstack/security-doc
+      - stackforge/bandit
     branches:
       - master
 
diff --git a/modules/openstack_project/files/gerrit/acls/stackforge/bandit.config b/modules/openstack_project/files/gerrit/acls/stackforge/bandit.config
new file mode 100644
index 0000000000..9dd1176600
--- /dev/null
+++ b/modules/openstack_project/files/gerrit/acls/stackforge/bandit.config
@@ -0,0 +1,14 @@
+[access "refs/heads/*"]
+abandon = group bandit-core
+label-Code-Review = -2..+2 group bandit-core
+label-Workflow = -1..+1 group bandit-core
+
+[access "refs/tags/*"]
+pushSignedTag = group bandit-release
+
+[receive]
+requireChangeId = true
+requireContributorAgreement = true
+
+[submit]
+mergeContent = true
diff --git a/modules/openstack_project/files/review.projects.yaml b/modules/openstack_project/files/review.projects.yaml
index 490a4a7124..91572cd9ae 100644
--- a/modules/openstack_project/files/review.projects.yaml
+++ b/modules/openstack_project/files/review.projects.yaml
@@ -547,6 +547,9 @@
 - project: stackforge/aviator
   description: An OpenStack client library for Ruby
   upstream: git://github.com/aviator/aviator
+- project: stackforge/bandit
+  description: Python AST-based static analyzer from OpenStack Security Group
+  upstream: git://github.com/chair6/bandit.git
 - project: stackforge/billingstack
   upstream: git://github.com/billingstack/billingstack
   description: Billing software
diff --git a/modules/openstack_project/files/zuul/layout.yaml b/modules/openstack_project/files/zuul/layout.yaml
index 9d3d8b7713..2fc5bad27e 100644
--- a/modules/openstack_project/files/zuul/layout.yaml
+++ b/modules/openstack_project/files/zuul/layout.yaml
@@ -3501,6 +3501,11 @@ projects:
     gate:
       - gate-aviator-tests
 
+  - name: stackforge/bandit
+    template:
+      - name: merge-check
+      - name: noop-jobs
+
   - name: stackforge/billingstack
     template:
       - name: merge-check