diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
index 912647dbb..9866428e7 100644
--- a/.github/workflows/checks.yml
+++ b/.github/workflows/checks.yml
@@ -74,3 +74,13 @@ jobs:
         with:
           inputs: requirements.txt requirements_for_test.txt
           ignore-vulns: PYSEC-2022-237
+
+  static-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: ./.github/actions/setup-project
+      - name: Install bandit
+        run: pip install bandit
+      - name: Run scan
+        run: bandit -r app/ --confidence-level medium
diff --git a/Makefile b/Makefile
index e101e46e3..f3d47b438 100644
--- a/Makefile
+++ b/Makefile
@@ -82,6 +82,11 @@ audit:
 	pip install --upgrade pip-audit
 	pip-audit -r requirements.txt -r requirements_for_test.txt -l --ignore-vuln PYSEC-2022-237
 
+.PHONY: static-scan
+static-scan:
+	pip install bandit
+	bandit -r app/
+
 .PHONY: clean
 clean:
 	rm -rf node_modules cache target venv .coverage build tests/.cache ${CF_MANIFEST_PATH}