GEM_HOME is world writable without enough documentation or info #507
Description
GEM_HOME is set to /usr/local/bundle and made world sticky + writable. This could introduce several supply-chain-related vulnerabilities and are usually harder to detect, since most scanning tools, including SBOM tools, do not collect all files. A workaround could be to encourage the use of GEM_PATH with a separate directory such as /opt/ruby-latest/bundle. Alternatively, the documentation could be updated to mention the presence of this sticky, world-writable directory in the images.