diff --git a/doc/languages-frameworks/ruby.section.md b/doc/languages-frameworks/ruby.section.md
index 62ab8b309635..cf2062845426 100644
--- a/doc/languages-frameworks/ruby.section.md
+++ b/doc/languages-frameworks/ruby.section.md
@@ -273,6 +273,8 @@ To test that it works, you can then try using the gem with:
 NIX_PATH=nixpkgs=$PWD nix-shell -p "ruby.withPackages (ps: with ps; [ name-of-your-gem ])"
 ```
 
+To check the gems for any security vulnerabilities, run `./maintainers/scripts/audit-ruby-packages/audit-ruby-packages.bash`.
+
 ### Packaging applications {#packaging-applications}
 
 A common task is to add a Ruby executable to Nixpkgs; popular examples would be `chef`, `jekyll`, or `sass`. A good way to do that is to use the `bundlerApp` function, that allows you to make a package that only exposes the listed executables. Otherwise, the package may cause conflicts through common paths like `bin/rake` or `bin/bundler` that aren't meant to be used.
diff --git a/maintainers/scripts/audit-ruby-packages/audit-ruby-packages.bash b/maintainers/scripts/audit-ruby-packages/audit-ruby-packages.bash
new file mode 100755
index 000000000000..6459e38d9842
--- /dev/null
+++ b/maintainers/scripts/audit-ruby-packages/audit-ruby-packages.bash
@@ -0,0 +1,6 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p bundler-audit
+
+set -o errexit -o nounset -o pipefail
+
+bundle-audit check "$(nix-build --no-out-link maintainers/scripts/audit-ruby-packages/default.nix)"
diff --git a/maintainers/scripts/audit-ruby-packages/default.nix b/maintainers/scripts/audit-ruby-packages/default.nix
new file mode 100644
index 000000000000..47d394cb7875
--- /dev/null
+++ b/maintainers/scripts/audit-ruby-packages/default.nix
@@ -0,0 +1,15 @@
+let
+  pkgs = import ../../.. { };
+  lockFileBody = pkgs.lib.concatStringsSep "\n" (
+    pkgs.lib.mapAttrsToList (name: props: "    ${name} (${props.version})") (
+      pkgs.lib.filterAttrs (name: _props: name != "recurseForDerivations") pkgs.rubyPackages
+    )
+  );
+in
+pkgs.runCommand "bundle-audit" { } ''
+  mkdir "$out"
+  echo 'GEM' > "$out/Gemfile.lock"
+  echo '  remote: https://rubygems.org/' >> "$out/Gemfile.lock"
+  echo '  specs:' >> "$out/Gemfile.lock"
+  echo '${lockFileBody}' >> "$out/Gemfile.lock"
+''