diff --git a/.buildkite/scripts/run_ci_step.sh b/.buildkite/scripts/run_ci_step.sh
index 01b9127d..9919904c 100755
--- a/.buildkite/scripts/run_ci_step.sh
+++ b/.buildkite/scripts/run_ci_step.sh
@@ -8,6 +8,10 @@ JAVA_VERSION="$(cat .java-version)"
 export RUBY_VERSION
 export JAVA_VERSION
 
+# The Docker image excludes dev/test gems for a leaner production build.
+# CI needs them, so clear the 'without' config before installing.
+bundle config unset without
+
 case $1 in
   lint)
     echo "---- running linter"
diff --git a/Dockerfile b/Dockerfile
index 1b8cfa34..3904eea3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -14,6 +14,9 @@ RUN groupadd -g 451 crawlergroup && \
 USER crawleruser
 COPY --chown=crawleruser:crawlergroup --chmod=775 . /home/app
 WORKDIR /home/app
+# Exclude development and test gems from the production image to reduce
+# image size and CVE surface area (e.g. rack, rspec, rubocop, pry, etc.)
+RUN bundle config set --local without 'development test'
 RUN make clean install
 
 # Clean up build dependencies
diff --git a/Dockerfile.wolfi b/Dockerfile.wolfi
index 4813a9aa..bc3928bb 100644
--- a/Dockerfile.wolfi
+++ b/Dockerfile.wolfi
@@ -48,6 +48,9 @@ WORKDIR /home/app
 # skip jenv/rbenv setup
 ENV IS_DOCKER=1
 
+# Exclude development and test gems from the production image to reduce
+# image size and CVE surface area (e.g. rack, rspec, rubocop, pry, etc.)
+RUN bundle config set --local without 'development test'
 RUN make clean install
 # add more directories and files not to be copied to the runtime image from /home/app
 RUN rm -rf .git .github .idea .devcontainer .buildkite