diff --git a/.gitignore b/.gitignore
index bbb4018..4e8acc1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -223,6 +223,10 @@ cython_debug/
 .github/copilot-instructions.md
 CLAUDE.md
 
+# CodeQL local analysis
+.codeql-db/
+.codeql-results/
+
 # Ruff stuff:
 .ruff_cache/
 
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 40804fa..b0878c2 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -16,6 +16,15 @@ repos:
     rev: 6.0.1
     hooks:
       - id: isort
+  - repo: https://github.com/PyCQA/bandit
+    rev: 1.8.3
+    hooks:
+      - id: bandit
+        args:
+          - -c=pyproject.toml
+          - --severity-level=medium
+          - --confidence-level=medium
+        additional_dependencies: ['bandit[toml]']
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v5.0.0
     hooks:
diff --git a/pyproject.toml b/pyproject.toml
index 15e3d81..a12aff1 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -119,6 +119,16 @@ follow_imports = "silent"
 ignore_missing_imports = true
 no_implicit_optional = true
 
+[tool.bandit]
+exclude_dirs = ["tests", ".venv"]
+skips = [
+    "B101",  # assert used legitimately in non-test code
+    "B324",  # MD5/SHA1 used for identifiers and cache keys, not security
+    "B413",  # false positive: pycryptodome uses Crypto namespace, not deprecated pyCrypto
+    "B314",  # XML from DRM protocol headers, not untrusted user input
+    "B608",  # SQL table names from internal service tags, not user input; parameterized values
+]
+
 [tool.uv.sources]
 unshackle = { workspace = true }
 subby = { git = "https://github.com/vevv/subby.git", rev = "1ea6a52028c5bea8177c8abc91716d74e4d097e1" }