diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 0ef0fe842..3246cca84 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,18 +1,26 @@
 repos:
-- repo: https://github.com/gitleaks/gitleaks
-  rev: v8.16.3
-  hooks:
-  - id: gitleaks
-- repo: https://github.com/jumanjihouse/pre-commit-hooks
-  rev: 3.0.0
-  hooks:
-  - id: shellcheck
-- repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v4.4.0
-  hooks:
-  - id: end-of-file-fixer
-  - id: trailing-whitespace
-- repo: https://github.com/pylint-dev/pylint
-  rev: v2.17.2
-  hooks:
-  - id: pylint
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.16.3
+    hooks:
+      - id: gitleaks
+  - repo: https://github.com/jumanjihouse/pre-commit-hooks
+    rev: 3.0.0
+    hooks:
+      - id: shellcheck
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.4.0
+    hooks:
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+  - repo: https://github.com/pylint-dev/pylint
+    rev: v2.17.2
+    hooks:
+      - id: pylint
+  - repo: https://github.com/PyCQA/bandit
+    rev: 1.9.4
+    hooks:
+      - id: bandit
+        name: "Bandit security scan (Python scripts)"
+        args: ["-r", "--severity-level", "medium", "--confidence-level", "high"]
+        files: ^scripts/.*\.py$
+        exclude: ^tests/
diff --git a/README.md b/README.md
index e12a42453..d0ac57cca 100644
--- a/README.md
+++ b/README.md
@@ -45,6 +45,22 @@ Please read [README.md](./scripts/README.md)
 
 Please read [README.md](./scripts/README.md)
 
+### Security Scanning
+
+First time setup:
+```bash
+pip install pre-commit
+pre-commit install
+```
+
+A Bandit pre-commit hook scans Python scripts for security issues on commit.
+It runs automatically via pre-commit (medium severity, high confidence).
+
+To run manually:
+```bash
+pre-commit run bandit --all-files
+```
+
 ### Building and Deploying the Cornucopia website
 
 https://cornucopia.owasp.org contains the card browser for each of the cards in the cornucopia suits together with the taxonomy and in depth explaination for each of the cards in the suits.
diff --git a/scripts/convert.py b/scripts/convert.py
index 2ea5e50f3..3759455f6 100644
--- a/scripts/convert.py
+++ b/scripts/convert.py
@@ -10,6 +10,7 @@
 import yaml
 import zipfile
 import xml.etree.ElementTree as ElTree
+from defusedxml import ElementTree as DefusedElTree
 from typing import Any, Dict, List, Tuple, cast
 from operator import itemgetter
 from itertools import groupby
@@ -1126,7 +1127,7 @@ def _find_xml_elements(tree: Any) -> List[ElTree.Element]:
 def replace_text_in_xml_file(filename: str, replacement_values: List[Tuple[str, str]]) -> None:
     logging.debug(f" --- starting xml_replace for {filename}")
     try:
-        tree = ElTree.parse(filename)
+        tree = DefusedElTree.parse(filename)
     except Exception as e:
         logging.error(f"Failed to parse XML file {filename}: {e}")
         return