diff --git a/Makefile b/Makefile
index 3c34343a..5891a82b 100644
--- a/Makefile
+++ b/Makefile
@@ -4,7 +4,7 @@ export DOCKER_BUILDKIT=1
 
 lint:
 	@flake8 $$(find pyca tests -name '*.py') .github/selenium-tests
-	@bandit pyca tests
+	@bandit -s B404,B602,B603 -r pyca
 	@npm run eslint
 
 test:
diff --git a/pyca/ingest.py b/pyca/ingest.py
index 2a9dda50..5e984062 100644
--- a/pyca/ingest.py
+++ b/pyca/ingest.py
@@ -53,7 +53,8 @@ def ingest(event):
     # ingest services to ensure that not every capture agent uses the same
     # service at the same time
     service_url = service('ingest', force_update=True)
-    service_url = service_url[random.randrange(0, len(service_url))]
+    # nosec: we do not need a secure random number here
+    service_url = service_url[random.randrange(0, len(service_url))]  # nosec
     logger.info('Selecting ingest service to use: ' + service_url)
 
     # create mediapackage
@@ -144,7 +145,8 @@ def control_loop():
                        .filter(RecordedEvent.status ==
                                Status.FINISHED_RECORDING).first()
         if event:
-            delay = random.randint(config('ingest', 'delay_min'),
+            # nosec: we do not need a secure random number here
+            delay = random.randint(config('ingest', 'delay_min'),  # nosec
                                    config('ingest', 'delay_max'))
             logger.info("Delaying ingest for %s seconds", delay)
             time.sleep(delay)
diff --git a/pyca/ui/jsonapi.py b/pyca/ui/jsonapi.py
index 07094f40..f2601046 100644
--- a/pyca/ui/jsonapi.py
+++ b/pyca/ui/jsonapi.py
@@ -250,6 +250,8 @@ def logs():
     if not cmd:
         return make_error_response('Logs are disabled.', 404)
 
+    # We specifically allow shell. This is no security issue since only admins
+    # may specify this command.
     logs = subprocess.run(cmd, shell=True, check=True, stdout=subprocess.PIPE,
                           stderr=subprocess.STDOUT)\
         .stdout\
diff --git a/pyca/ui/opencast_commands.py b/pyca/ui/opencast_commands.py
index 13078abf..a9cebdb1 100644
--- a/pyca/ui/opencast_commands.py
+++ b/pyca/ui/opencast_commands.py
@@ -7,7 +7,7 @@
     :license: LGPL – see license.lgpl for more details.
 '''
 
-from xml.sax.saxutils import escape as xml_escape
+from xml.sax.saxutils import escape as xml_escape  # nosec B406
 from pyca.config import config
 from pyca.utils import http_request, service
 from datetime import datetime, timedelta
@@ -48,7 +48,7 @@ def schedule(title='pyCA Recording', duration=60, creator=None):
     # ingest services to ensure that not every capture agent uses the same
     # service at the same time
     service_url = service('ingest', force_update=True)
-    service_url = service_url[random.randrange(0, len(service_url))]
+    service_url = service_url[random.randrange(0, len(service_url))]  # nosec
     logger.info('Selecting ingest service for scheduling: ' + service_url)
 
     # create media package