diff --git a/.bandit b/.bandit
new file mode 100644
index 000000000..e2ba3f0d8
--- /dev/null
+++ b/.bandit
@@ -0,0 +1,3 @@
+[bandit]
+skips: B101
+exclude: {{cookiecutter.project_slug}}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index fd9668459..01e8d6d3b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,13 @@ on:
   pull_request:
 
 jobs:
+  bandit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Run bandit
+        uses: tj-actions/bandit@v1.2
+
   tox:
     runs-on: ubuntu-latest
     strategy:
diff --git a/hooks/post_gen_project.py b/hooks/post_gen_project.py
index ede14c324..c7a694eab 100644
--- a/hooks/post_gen_project.py
+++ b/hooks/post_gen_project.py
@@ -156,7 +156,7 @@ def generate_random_string(
         unsuitable = {"'", '"', "\\", "$"}
         suitable = all_punctuation.difference(unsuitable)
         symbols += "".join(suitable)
-    return "".join([random.choice(symbols) for _ in range(length)])
+    return "".join([random.choice(symbols) for _ in range(length)])  # nosec
 
 
 def set_flag(file_path, flag, value=None, formatted=None, *args, **kwargs):
diff --git a/setup.py b/setup.py
index c72ba1c9d..0bfe73ab4 100644
--- a/setup.py
+++ b/setup.py
@@ -1,6 +1,7 @@
 #!/usr/bin/env python
 
-import os
+import shlex
+import subprocess  # nosec
 import sys
 
 try:
@@ -12,10 +13,16 @@ except ImportError:
 # If Django has a new release, we branch, tag, then update this setting after the tag.
 version = "3.0.11"
 
+
+def run_command(command):
+    args = shlex.split(command, posix=False)
+    return subprocess.check_output(args, shell=False)  # nosec
+
+
 if sys.argv[-1] == "tag":
-    os.system(f'git tag -a {version} -m "version {version}"')
-    os.system("git push --tags")
-    sys.exit()
+    run_command('git tag -a {version} -m "version {version}"'.format(version=version))
+    run_command("git push --tags")
+    sys.exit(0)
 
 with open("README.rst") as readme_file:
     long_description = readme_file.read()