diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
index f7447e6..c0fb07c 100644
--- a/.github/workflows/pull_request.yml
+++ b/.github/workflows/pull_request.yml
@@ -28,7 +28,7 @@ jobs:
           pip install -r requirements.txt
 
       - name: Run unit tests
-        run: python -m pytest --junitxml results.xml
+        run: tox run -e py$version -- --junitxml results.xml
 
       - name: Upload test results
         uses: actions/upload-artifact@master
diff --git a/requirements.txt b/requirements.txt
index 7b50945..d70f160 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -26,4 +26,5 @@ referencing==0.31.0
 requests==2.31.0
 rpds-py==0.13.1
 sortedcontainers==2.4.0
+tox==4.11.4
 urllib3==2.0.7
diff --git a/tox.ini b/tox.ini
new file mode 100644
index 0000000..2949320
--- /dev/null
+++ b/tox.ini
@@ -0,0 +1,25 @@
+[tox]
+env_list = lint, sast, py{310, 311, 312}
+
+[testenv]
+description = Run unit tests with Pytest
+skip_install = True
+deps =
+    -r {tox_root}/requirements.txt
+    pytest
+commands =
+    pytest --basetemp={env_tmp_dir} {posargs}
+
+[testenv:lint]
+description = Run lint scan with Ruff
+deps =
+    ruff
+commands =
+    ruff check .
+
+[testenv:sast]
+description = Run SAST scan with Bandit
+deps =
+    ruff
+commands =
+    ruff check ./cbom --select S