diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml
index 46663929f6..c57ffd351f 100644
--- a/.github/workflows/bandit.yml
+++ b/.github/workflows/bandit.yml
@@ -20,4 +20,9 @@ jobs:
       security-events: write
     steps:
       - name: Perform Bandit Analysis
-        uses: PyCQA/bandit-action@8a1b30610f61f3f792fe7556e888c9d7dffa52de
+        # KEEP IN SYNC WITH bandit rev in .pre-commit-config.yaml
+        # Current runner uses Python 3.8, so the action installs bandit==1.7.10
+        # via `pip install bandit[sarif]`. If runner Python moves to >=3.9,
+        # the action will resolve to 1.8.x and you'll need to bump pre-commit.
+        # (Bandit >=1.8.0 dropped Python 3.8 via Requires-Python metadata.)
+        uses: PyCQA/bandit-action@8a1b30610f61f3f792fe7556e888c9d7dffa52de  # v1.0.0
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 4da2dddef3..d65ffce912 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -9,7 +9,6 @@ ci:
     autoupdate_branch: ''
     autoupdate_commit_msg: '[pre-commit.ci] pre-commit autoupdate'
     autoupdate_schedule: quarterly
-    skip: [bandit]
     submodules: false
 
 # Please update the rev: SHAs below with this command:
@@ -66,7 +65,7 @@ repos:
     - id: rst-inline-touching-normal
 
   - repo: https://github.com/PyCQA/bandit
-    rev: 2d0b675b04c80ae42277e10500db06a0a37bae17  # frozen: 1.8.6
+    rev: "36fd65054fc8864b4037d0918904f9331512feb5"  # frozen: 1.7.10 KEEP IN SYNC WITH .github/workflows/bandit.yml
     hooks:
       - id: bandit
         args: