diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index c4a2b1e5..a1eb0dcf 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -171,7 +171,7 @@
 # The truncated dpkg-preconfigu is intentional, process names are
 # truncated at the sysdig level.
 - list: package_mgmt_binaries
-  items: [rpm_binaries, deb_binaries, update-alternat]
+  items: [rpm_binaries, deb_binaries, update-alternat, gem]
 
 - macro: package_mgmt_procs
   condition: proc.name in (package_mgmt_binaries)
@@ -380,6 +380,13 @@
 - macro: mysql_image_running_healthcheck
   condition: container.image=mysql and proc.cmdline="sh -c /healthcheck.sh"
 
+- macro: bundle_running_ruby
+  condition: >
+    (proc.pname=ruby and (
+     proc.aname[2]=bundle or
+     proc.aname[3]=bundle or
+     proc.aname[4]=bundle))
+
 # Qualys seems to run a variety of shell subprocesses, at various
 # levels. This checks at a few levels without the cost of a full
 # proc.aname, which traverses the full parent heirarchy.
@@ -838,6 +845,7 @@
     and not run_by_passenger_agent
     and not parent_java_running_jenkins
     and not jenkins_script_sh
+    and not bundle_running_ruby
   output: >
     Shell spawned in a container other than entrypoint (user=%user.name %container.info image=%container.image
     shell=%proc.name pcmdline=%proc.pcmdline cmdline=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3])