diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 71568d71..96ba1649 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -119,16 +119,22 @@ pip_install:
     - fdroid readmeta
     - fdroid update --help
 
-lint_format_safety_checks:
+lint_format_safety_bandit_checks:
   image: alpine:3.7
   variables:
     LANG: C.UTF-8
   script:
     - apk add --no-cache bash dash ca-certificates python3
     - python3 -m ensurepip
-    - pip3 install pycodestyle pyflakes 'pylint<2.0' safety
+    - pip3 install bandit pycodestyle pyflakes 'pylint<2.0' safety
     - export EXITVALUE=0
     - ./hooks/pre-commit || export EXITVALUE=1
+    - bandit
+        -ii
+        -s B110,B310,B322,B404,B408,B410,B603,B607
+        -x fdroidserver/dscanner.py,docker/install_agent.py,docker/drozer.py
+        -r $CI_PROJECT_DIR
+        || export EXITVALUE=1
     - safety check --full-report || export EXITVALUE=1
     - pylint --rcfile=.pylint-rcfile --output-format=colorized --reports=n
             fdroid
diff --git a/fdroidserver/common.py b/fdroidserver/common.py
index fb344b87..55cb2b65 100644
--- a/fdroidserver/common.py
+++ b/fdroidserver/common.py
@@ -283,7 +283,7 @@ def read_config(opts, config_file='config.py'):
         logging.debug(_("Reading '{config_file}'").format(config_file=config_file))
         with io.open(config_file, "rb") as f:
             code = compile(f.read(), config_file, 'exec')
-            exec(code, None, config)
+            exec(code, None, config)  # nosec TODO switch to YAML file
     else:
         logging.warning(_("No 'config.py' found, using defaults."))
 
diff --git a/fdroidserver/update.py b/fdroidserver/update.py
index 4dca43f7..22297b7e 100644
--- a/fdroidserver/update.py
+++ b/fdroidserver/update.py
@@ -27,7 +27,7 @@ import re
 import socket
 import zipfile
 import hashlib
-import pickle
+import pickle  # nosec TODO
 import time
 import copy
 from datetime import datetime
@@ -461,7 +461,7 @@ def get_cache():
     ada = options.allow_disabled_algorithms or config['allow_disabled_algorithms']
     if not options.clean and os.path.exists(apkcachefile):
         with open(apkcachefile, 'rb') as cf:
-            apkcache = pickle.load(cf, encoding='utf-8')
+            apkcache = pickle.load(cf, encoding='utf-8')  # nosec TODO
         if apkcache.get("METADATA_VERSION") != METADATA_VERSION \
            or apkcache.get('allow_disabled_algorithms') != ada:
             apkcache = {}