diff --git a/.github/workflows/lint-ruby.yml b/.github/workflows/lint-ruby.yml
index f4e81d508b..b3a89c3caf 100644
--- a/.github/workflows/lint-ruby.yml
+++ b/.github/workflows/lint-ruby.yml
@@ -47,4 +47,4 @@ jobs:
 
       - name: Run brakeman
         if: always() # Run both checks, even if the first failed
-        run: bundle exec brakeman
+        run: bin/brakeman
diff --git a/bin/brakeman b/bin/brakeman
new file mode 100755
index 0000000000..b4fe8de266
--- /dev/null
+++ b/bin/brakeman
@@ -0,0 +1,27 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+#
+# This file was generated by Bundler.
+#
+# The application 'brakeman' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../Gemfile", __dir__)
+
+bundle_binstub = File.expand_path("bundle", __dir__)
+
+if File.file?(bundle_binstub)
+  if File.read(bundle_binstub, 300).include?("This file was generated by Bundler")
+    load(bundle_binstub)
+  else
+    abort("Your `bin/bundle` was not generated by Bundler, so this binstub cannot run.
+Replace `bin/bundle` by running `bundle binstubs bundler --force`, then run this command again.")
+  end
+end
+
+require "rubygems"
+require "bundler/setup"
+
+load Gem.bin_path("brakeman", "brakeman")