diff --git a/.github/workflows/build_validation_develop.yml b/.github/workflows/build_validation_develop.yml
index 8d2add6b97..9d72a41684 100644
--- a/.github/workflows/build_validation_develop.yml
+++ b/.github/workflows/build_validation_develop.yml
@@ -105,6 +105,21 @@ jobs:
           TYPESCRIPT_ES_CONFIG_FILE: ../../ui/app/eslint.config.js
           TSX_CONFIG_FILE: ../../ui/app/eslint.config.js
 
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+          cache: "pip"
+
+      - name: Install Bandit
+        if: ${{ steps.filter.outputs.core == 'true' }}
+        run: pip install bandit
+
+      - name: Run Bandit security checks
+        if: ${{ steps.filter.outputs.core == 'true' }}
+        run: bandit -c pyproject.toml -r .
+
+
       - name: Docs validation
         if: ${{ steps.filter.outputs.docs == 'true' }}
         run: |
diff --git a/api_app/main.py b/api_app/main.py
index 0bdc769141..ed4b507d20 100644
--- a/api_app/main.py
+++ b/api_app/main.py
@@ -74,4 +74,10 @@ def get_application() -> FastAPI:
 FastAPIInstrumentor.instrument_app(app)
 
 if __name__ == "__main__":
-    uvicorn.run(app, host="0.0.0.0", port=8000, loop="asyncio")
+    uvicorn.run(
+    app,
+    host="0.0.0.0",
+    port=8000,
+    loop="asyncio",
+)  # nosec B104 - intended for containerized deployment
+
diff --git a/api_app/models/domain/costs.py b/api_app/models/domain/costs.py
index 192454b177..852f7a7dc9 100644
--- a/api_app/models/domain/costs.py
+++ b/api_app/models/domain/costs.py
@@ -18,9 +18,16 @@ class CurrencyEnum(StrEnum):
 
 def generate_cost_row_dict_example(granularity: GranularityEnum, currency: CurrencyEnum):
     return dict({
-        "cost": random.uniform(0, 365), "currency": currency, "date":
-            (datetime.today() - timedelta(
-                days=-1 * random.randint(0, 1000))).date() if granularity == GranularityEnum.daily else None
+        "cost": random.uniform(0, 365),  # nosec B311 - non-cryptographic random for sample data
+        "currency": currency, 
+        "date":(
+            datetime.today() 
+            - timedelta(
+                days=-1 * random.randint(0, 1000)  # nosec B311 - non-cryptographic random for sample data
+            )
+        ).date()
+        if granularity == GranularityEnum.daily 
+        else None,
     })
 
 
diff --git a/pyproject.toml b/pyproject.toml
new file mode 100644
index 0000000000..a92e4c50bd
--- /dev/null
+++ b/pyproject.toml
@@ -0,0 +1,13 @@
+[tool.bandit]
+exclude_dirs = [
+  "api_app/tests_ma",
+  "airlock_processor/tests",
+  "resource_processor/tests_rp",
+  "e2e_tests",
+  ".venv",
+  "venv"
+]
+
+skips = [
+  "B101",  # asserts in test code
+]
diff --git a/resource_processor/helpers/httpserver.py b/resource_processor/helpers/httpserver.py
index 25e63418f4..28b3a36ec7 100644
--- a/resource_processor/helpers/httpserver.py
+++ b/resource_processor/helpers/httpserver.py
@@ -13,5 +13,5 @@ class ThreadedHTTPServer(ThreadingMixIn, HTTPServer):
 
 
 def start_server():
-    server = ThreadedHTTPServer(('0.0.0.0', 8080), RequestHandler)
+    server = ThreadedHTTPServer(('0.0.0.0', 8080), RequestHandler)  # nosec B104 - intended for containerized/dev use
     server.serve_forever()