diff --git a/pkgs/development/python-modules/bandit/default.nix b/pkgs/development/python-modules/bandit/default.nix
new file mode 100644
index 000000000000..64ef8ec53fa5
--- /dev/null
+++ b/pkgs/development/python-modules/bandit/default.nix
@@ -0,0 +1,44 @@
+{ buildPythonPackage
+, fetchPypi
+, lib
+, isPy3k
+
+# pythonPackages
+, GitPython
+, pbr
+, pyyaml
+, six
+, stevedore
+}:
+
+buildPythonPackage rec {
+  pname = "bandit";
+  version = "1.6.2";
+  disabled = !isPy3k;
+
+  src = fetchPypi {
+    inherit pname version;
+    sha256 = "0rb034c99pyhb4a60z7f2kz40cjydhm8m9v2blaal1rmhlam7rs1";
+  };
+
+  propagatedBuildInputs = [
+    GitPython
+    pbr
+    pyyaml
+    six
+    stevedore
+  ];
+
+  # Framework is Tox, tox performs 'pip install' inside the virtual-env
+  #   and this requires Network Connectivity
+  doCheck = false;
+
+  meta = {
+    description = "Security oriented static analyser for python code";
+    homepage = "https://bandit.readthedocs.io/en/latest/";
+    license = lib.licenses.asl20;
+    maintainers = with lib.maintainers; [
+      kamadorueda
+    ];
+  };
+}
diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
index e7e195673080..759d3ecf0e21 100644
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@@ -1670,6 +1670,8 @@ in {
 
   babelfish = callPackage ../development/python-modules/babelfish {};
 
+  bandit = callPackage ../development/python-modules/bandit {};
+
   basiciw = callPackage ../development/python-modules/basiciw {
     inherit (pkgs) gcc wirelesstools;
   };