diff --git a/Gemfile b/Gemfile
index 53b5d96b4767d821819981c25a0c74f18db0faac..8cf345a582988610d59b97094f2f2528f93a03f3 100644
--- a/Gemfile
+++ b/Gemfile
@@ -2,6 +2,12 @@
 
 source 'https://rubygems.org'
 
+if ENV['BUNDLER_CHECKSUM_VERIFICATION_OPT_IN'] # this verification is still experimental
+  $:.unshift(File.expand_path("vendor/gems/bundler-checksum/lib", __dir__))
+  require 'bundler-checksum'
+  Bundler::Checksum.patch!
+end
+
 gem 'bundler-checksum', '~> 0.1.0', path: 'vendor/gems/bundler-checksum', require: false
 
 gem 'rails', '~> 6.1.6.1'
diff --git a/Gemfile.checksum b/Gemfile.checksum
index 542a8d25fb6f9127dc6b7b8d4750142e5e856de5..2de539e0e2b534aaf89ceed49d05428a4a47e366 100644
--- a/Gemfile.checksum
+++ b/Gemfile.checksum
@@ -205,7 +205,7 @@
 {"name":"gitlab-labkit","version":"0.24.0","platform":"ruby","checksum":"8f16e5aa4e0a05be58958fe880bdd53c84b659a081ea9981d2b510922a4a0548"},
 {"name":"gitlab-license","version":"2.2.1","platform":"ruby","checksum":"39fcf6be8b2887df8afe01b5dcbae8d08b7c5d937ff56b0fb40484a8c4f02d30"},
 {"name":"gitlab-mail_room","version":"0.0.9","platform":"ruby","checksum":"6700374b5c0aa9d9ad4e711aeb677f0b7d415a6d01d3baa699efab25349d851c"},
-{"name":"gitlab-markup","version":"1.8.0","platform":"ruby","checksum":"fb629369dca5dd343e47ebf5fa2e0a0fc146012fc49c35eff5ca826ae4186c86"},
+{"name":"gitlab-markup","version":"1.8.1","platform":"ruby","checksum":"ab1f9fd016977497c2af25b76341dea670533014f406861834a0bd99f646707b"},
 {"name":"gitlab-net-dns","version":"0.9.1","platform":"ruby","checksum":"bcd1a08dcb31b731e8ff602d828de619d2d9f53f5812f6abacf11c720873d4cb"},
 {"name":"gitlab-omniauth-openid-connect","version":"0.10.0","platform":"ruby","checksum":"ea44a23ea93457057bba6a9912e883f5aefab36a941c6c58512c8a7095fb1153"},
 {"name":"gitlab-sidekiq-fetcher","version":"0.8.0","platform":"ruby","checksum":"9c564caa2a958d44a8d78672dc23b2a206102d0223b41b77b58626a945e37362"},
@@ -380,7 +380,6 @@
 {"name":"omniauth-oauth","version":"1.2.0","platform":"ruby","checksum":"e7a78658498dc83aa3f3be1a776425c0f06a60d45d9236dbe5e98e61fadf827b"},
 {"name":"omniauth-oauth2","version":"1.7.3","platform":"ruby","checksum":"3f5a8f99fa72e0f91d2abd7475ceb972a4ae67ed59e049f314c0c1bad81f4745"},
 {"name":"omniauth-oauth2-generic","version":"0.2.2","platform":"ruby","checksum":"e30814f6c472e04f3d9e4a3ddc03bc9a46f53f9333f8d443bf3ad43c6ebcdbd4"},
-{"name":"omniauth-rails_csrf_protection","version":"1.0.1","platform":"ruby","checksum":"fc546aeb7d43b7b9d7737051c380156e61c8f080b898cd4934d523eaa7e59acf"},
 {"name":"omniauth-saml","version":"2.0.0","platform":"ruby","checksum":"02594fd6630de26a9e65a2e64223e9ad32324fa97a6c7f1f22a1553ea3dd44c7"},
 {"name":"omniauth-shibboleth","version":"1.3.0","platform":"ruby","checksum":"b0bb725ced5cb76fbfc187ddbb8ad6864d0cd5df714cab36a528df8ee4b1d113"},
 {"name":"omniauth-twitter","version":"1.4.0","platform":"ruby","checksum":"c5cc6c77cd767745ffa9ebbd5fbd694a3fa99d1d2d82a4d7def0bf3b6131b264"},
@@ -405,7 +404,7 @@
 {"name":"pg","version":"1.4.1","platform":"x64-mingw-ucrt","checksum":"de35769d4e7c25daa035f2dc33447e74711ab0dc8b73f685a846987e0080d030"},
 {"name":"pg","version":"1.4.1","platform":"x64-mingw32","checksum":"3457bf6bfdda7144097ef23d490a83980ba4572c78c58689aadaf58940a1989d"},
 {"name":"pg","version":"1.4.1","platform":"x86-mingw32","checksum":"323d09138b7bbfc6ae8eb427774d3639fc0e995983e65bb729527bf8e859fc29"},
-{"name":"pg_query","version":"2.1.3","platform":"ruby","checksum":"f3dd4b4c88c638eab48e9274f0dd88c584b60f8da58e3008b873192fe1e47001"},
+{"name":"pg_query","version":"2.1.4","platform":"ruby","checksum":"48f1363f88cf9d86fa11d76d1b0f839ca3723b8bd397b7cbc4b578e1ca82d0bb"},
 {"name":"plist","version":"3.6.0","platform":"ruby","checksum":"f468bcf6b72ec6d1585ed6744eb4817c1932a5bf91895ed056e69b7f12ca10f2"},
 {"name":"png_quantizator","version":"0.2.1","platform":"ruby","checksum":"6023d4d064125c3a7e02929c95b7320ed6ac0d7341f9e8de0c9ea6576ef3106b"},
 {"name":"po_to_json","version":"1.0.1","platform":"ruby","checksum":"6a7188aa6c42a22c9718f9b39062862ef7f3d8f6a7b4177cae058c3308b56af7"},
diff --git a/doc/development/gemfile.md b/doc/development/gemfile.md
index dd687763356d5407c942afd2de9f168d75881f44..bed7b53c28f38671b5bb0542d802d4f88a84fd34 100644
--- a/doc/development/gemfile.md
+++ b/doc/development/gemfile.md
@@ -6,9 +6,39 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 
 # Gemfile guidelines
 
-When adding a new entry to `Gemfile` or upgrading an existing dependency pay
+When adding a new entry to `Gemfile`, or upgrading an existing dependency pay
 attention to the following rules.
 
+## Bundler checksum verification
+
+As for [GitLab 15.5](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/98508), gem
+checksums are checked before installation. This verification is still
+experimental so it is only active for CI.
+
+If the downloaded gem's checksum does not match the checksum record in
+`Gemfile.checksum`, you will see an error saying that Bundler cannot continue
+installing a gem because there is a potential security issue.
+
+You can opt-in to this verification locally by setting the
+`BUNDLER_CHECKSUM_VERIFICATION_OPT_IN` environment variable:
+
+```shell
+export BUNDLER_CHECKSUM_VERIFICATION_OPT_IN=1
+bundle install
+```
+
+### Updating the checksum file
+
+This needs to be done for any new, or updated gems.
+
+1. When updating `Gemfile.lock`, make sure to also update `Gemfile.checksum` with:
+
+   ```shell
+   bundle exec bundler-checksum init
+   ```
+
+1. Check, and commit the changes for `Gemfile.checksum`.
+
 ## No gems fetched from Git repositories
 
 We do not allow gems that are fetched from Git repositories. All gems have