diff --git a/tests/test_create_template.py b/tests/test_create_template.py
index 0e61241..20ff4bb 100644
--- a/tests/test_create_template.py
+++ b/tests/test_create_template.py
@@ -39,13 +39,12 @@ def test_cookiecutter_make_help(cookies):  # type: ignore
     """ensure the make help command runs without error"""
     result = cookies.bake()
 
-    make_proc = subprocess.Popen(
+    make_proc = subprocess.run(
         ["/usr/bin/make"],
-        shell=False,
+        shell=False,  # noqa: S603
         stdout=subprocess.PIPE,
         stderr=subprocess.STDOUT,
         cwd=result.project_path,
-    )  # nosec
-    # stdout, stderr are for debuggin
-    stdout, stderr = make_proc.communicate()
+        check=True,
+    )
     assert make_proc.returncode == 0
diff --git a/{{cookiecutter.repo_name}}/.code_quality/ruff.toml b/{{cookiecutter.repo_name}}/.code_quality/ruff.toml
index 192912e..7fced26 100644
--- a/{{cookiecutter.repo_name}}/.code_quality/ruff.toml
+++ b/{{cookiecutter.repo_name}}/.code_quality/ruff.toml
@@ -54,14 +54,22 @@ select = [
     "PL",
     # isort
     "I",
+    # flake8-bandit
+    "S",
     # pyupgrade
     "UP",
     # ruff
     "RUF",
+    # flake8-simplify
+    "SIM",
     # tryceratops
     "TRY",
     ]
-ignore = ["E203"]
+ignore = [
+    "E203",
+        # bandit: Use of `assert` detected
+    "S101"
+    ]
 # Allow fix for all enabled rules (when `--fix`) is provided.
 fixable = ["ALL"]
 unfixable = []
diff --git a/{{cookiecutter.repo_name}}/.pre-commit-config.yaml b/{{cookiecutter.repo_name}}/.pre-commit-config.yaml
index 7953d47..b9600c4 100644
--- a/{{cookiecutter.repo_name}}/.pre-commit-config.yaml
+++ b/{{cookiecutter.repo_name}}/.pre-commit-config.yaml
@@ -2,16 +2,12 @@ repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v4.5.0
     hooks:
-      - id: trailing-whitespace
-      - id: end-of-file-fixer
-        exclude_types: [jupyter]
       - id: check-yaml
         exclude: ^(mkdocs\.yml|{{cookiecutter.repo_name}}/mkdocs\.yml)$
       - id: check-case-conflict
       - id: debug-statements
       - id: detect-private-key
       - id: check-merge-conflict
-      - id: check-ast
       - id: check-added-large-files
         args: [--maxkb=100000] # 100MB
 
@@ -34,14 +30,6 @@ repos:
         args:
           - --config-file=.code_quality/mypy.ini
 
-  - repo: https://github.com/PyCQA/bandit
-    rev: 1.7.8
-    hooks:
-      - id: bandit
-        args:
-          - -c
-          - .code_quality/bandit.yaml
-
   - repo: https://github.com/Yelp/detect-secrets
     rev: v1.4.0
     hooks:
@@ -50,3 +38,10 @@ repos:
       - id: detect-secrets
         name: 'detect-secrets-jupyter'
         args: ['--exclude-files', '.*[^i][^p][^y][^n][^b]$', '--exclude-lines', '"(hash|id|image/\w+)":.*', ]
+
+  - repo: https://github.com/commitizen-tools/commitizen
+    rev: v3.20.0
+    hooks:
+      - id: commitizen
+      - id: commitizen-branch
+        stages: [push]