diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml
new file mode 100644
index 0000000..0670805
--- /dev/null
+++ b/.github/workflows/bandit.yml
@@ -0,0 +1,24 @@
+name: Security check - Bandit
+
+on: push
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Security check - Bandit
+      uses: ioggstream/bandit-report-artifacts@v1.7.4
+      with:
+        project_path: src
+        # ignore_failure: true
+
+    # This is optional
+    #- name: Security check report artifacts
+    #  uses: actions/upload-artifact@v4
+    #  with:
+    #    name: Security report
+    #    path: output/security_report.txt
+
diff --git a/src/.bandit b/src/.bandit
new file mode 100644
index 0000000..830c261
--- /dev/null
+++ b/src/.bandit
@@ -0,0 +1,4 @@
+[bandit]
+exclude = tests,locales
+# token in vocabularies
+skips = B106