diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index f555f613..eb65036f 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -140,7 +140,7 @@ lint_format_safety_bandit_checks:
     - ./hooks/pre-commit || export EXITVALUE=1
     - bandit
         -ii
-        -s B110,B310,B322,B404,B408,B410,B603,B607
+        -s B110,B322,B404,B408,B410,B603,B607
         -r $CI_PROJECT_DIR fdroid
         || export EXITVALUE=1
     - safety check --full-report || export EXITVALUE=1
diff --git a/fdroidserver/checkupdates.py b/fdroidserver/checkupdates.py
index 8620f899..5aa1e4bf 100644
--- a/fdroidserver/checkupdates.py
+++ b/fdroidserver/checkupdates.py
@@ -64,7 +64,7 @@ def check_http(app):
         if len(urlcode) > 0:
             logging.debug("...requesting {0}".format(urlcode))
             req = urllib.request.Request(urlcode, None)
-            resp = urllib.request.urlopen(req, None, 20)
+            resp = urllib.request.urlopen(req, None, 20)  # nosec B310 scheme is filtered above
             page = resp.read().decode('utf-8')
 
             m = re.search(codeex, page)
@@ -77,7 +77,7 @@ def check_http(app):
             if urlver != '.':
                 logging.debug("...requesting {0}".format(urlver))
                 req = urllib.request.Request(urlver, None)
-                resp = urllib.request.urlopen(req, None, 20)
+                resp = urllib.request.urlopen(req, None, 20)  # nosec B310 scheme is filtered above
                 page = resp.read().decode('utf-8')
 
             m = re.search(verex, page)
@@ -295,7 +295,7 @@ def check_gplay(app):
     headers = {'User-Agent': 'Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0'}
     req = urllib.request.Request(url, None, headers)
     try:
-        resp = urllib.request.urlopen(req, None, 20)
+        resp = urllib.request.urlopen(req, None, 20)  # nosec B310 URL base is hardcoded above
         page = resp.read().decode()
     except urllib.error.HTTPError as e:
         return (None, str(e.code))
diff --git a/fdroidserver/import.py b/fdroidserver/import.py
index 51713cee..b463824c 100644
--- a/fdroidserver/import.py
+++ b/fdroidserver/import.py
@@ -40,8 +40,9 @@ SETTINGS_GRADLE = re.compile(r'''include\s+['"]:([^'"]*)['"]''')
 # when one of these is found it's assumed that's the information we want.
 # Returns repotype, address, or None, reason
 def getrepofrompage(url):
-
-    req = urllib.request.urlopen(url)
+    if not url.startswith('http'):
+        return (None, _('{url} does not start with "http"!'.format(url=url)))
+    req = urllib.request.urlopen(url)  # nosec B310 non-http URLs are filtered out
     if req.getcode() != 200:
         return (None, 'Unable to get ' + url + ' - return code ' + str(req.getcode()))
     page = req.read().decode(req.headers.get_content_charset())
diff --git a/tests/checkupdates.TestCase b/tests/checkupdates.TestCase
index ab68cd8d..5d3ca311 100755
--- a/tests/checkupdates.TestCase
+++ b/tests/checkupdates.TestCase
@@ -19,6 +19,7 @@ if localmodule not in sys.path:
 
 import fdroidserver.checkupdates
 import fdroidserver.metadata
+from fdroidserver.exception import FDroidException
 
 
 class CommonTest(unittest.TestCase):
@@ -123,6 +124,17 @@ class CommonTest(unittest.TestCase):
             self.assertEqual(vername, '1.1.9')
             self.assertEqual(vercode, '10109')
 
+    def test_check_http_blocks_unknown_schemes(self):
+        app = fdroidserver.metadata.App()
+        for scheme in ('file', 'ssh', 'http', ';pwn'):
+            app.id = scheme
+            faked = scheme + '://fake.url/for/testing/scheme'
+            app.UpdateCheckData = faked + '|ignored|' + faked + '|ignored'
+            app.metadatapath = 'metadata/' + app.id + '.yml'
+            vername, vercode = fdroidserver.checkupdates.check_http(app)
+            self.assertIsNone(vername)
+            self.assertTrue(FDroidException.__name__ in vercode)
+
     def test_check_http_ignore(self):
         fdroidserver.checkupdates.options = mock.Mock()