Version tagging allows Community Edition users to link SOOS scans to released versions of their open source packages. This ensures that when users download an SBOM (in CycloneDX or VEX format), the vulnerability attestations are properly reflected for the version being downloaded.

Versions will be automatically tagged if the manifest format supports a version property.  The version can be changed (or added for manifests which do not support a version property) in the SOOS UI.

Tag the desired version in one of 2 ways:

  • For the most recent scan
    • Select the Add Version chip at the top of the Project Detail page.
  • For any previous scan
    • Select Add Version chip on the Project History tab for the desired scan date/time.


Alternatively, for GitHub app integrations SOOS supports reading a soos_version.txt file, which simply contains the desired version. This file can be updated automatically from the build process prior to running a SOOS scan and will be preferred over any value provided in a manifest property.

If using a file by a different name to house the build version information, visit the Configure page to indicate a file name of your choice under GitHub Settings.

Build version file name field in Github Settings