diff --git a/Dockerfile b/Dockerfile
index adccd2e303..667a197a32 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -32,7 +32,10 @@ RUN apk add --no-cache \
     && gem install bundler \
     && bundle install --clean --no-cache --system $BUNDLER_ARGS \
     # temp fix for https://github.com/bundler/bundler/issues/6680
-    && rm -rf /usr/local/bundle/cache
+    && rm -rf /usr/local/bundle/cache \
+    # needed so non root users can read content of the bundle
+    && chmod -R a+r /usr/local/bundle
+
 
 FROM ruby:2.5.1-alpine3.7
 LABEL maintainer="Rapid7"
@@ -43,13 +46,12 @@ ENV NMAP_PRIVILEGED=""
 COPY --from=builder /usr/local/bundle /usr/local/bundle
 COPY . $APP_HOME
 
-RUN chmod -R a+r /usr/local/bundle
 RUN apk add --no-cache bash sqlite-libs nmap nmap-scripts nmap-nselibs postgresql-libs python python3 ncurses libcap su-exec
 
-WORKDIR $APP_HOME
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap)
 
+WORKDIR $APP_HOME
 # we need this entrypoint to dynamically create a user
 # matching the hosts UID and GID so we can mount something
 # from the users home directory. If the IDs don't match