diff --git a/Dockerfile b/Dockerfile
index a0478af..1c762fc 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -12,6 +12,7 @@ RUN apk add \
 ARG TERRAGRUNT
 ARG TERRAFORM
 ARG TERRAGRUNT_ATLANTIS_CONFIG
+ARG SOPS
 ARG ONE_PASSWORD_CLI
 
 ###
@@ -67,6 +68,24 @@ RUN set -eux \
 	&& chmod +x terragrunt-atlantis-config \
 	&& rm -rf terragrunt-atlantis-config_${TERRAGRUNT_ATLANTIS_CONFIG}_linux_amd64*
 
+###
+### Ensure SOPS version is present and validated
+###
+RUN set -eux \
+	&& if [ "${SOPS}" = "latest" ]; then \
+		SOPS="$( \
+			curl -L -sS --ipv4 https://github.com/getsops/sops/releases \
+			| tac | tac \
+			| grep -Eo '"/getsops/sops/releases/tag/v?[0-9]+\.[0-9]+\.[0-9]+"' \
+			| grep -Eo '[0-9]+\.[0-9]+\.[0-9]+' \
+			| sort -V \
+			| tail -1 \
+		)"; \
+	fi \
+	&& cd /usr/local/bin \
+	&& curl -L -sS --ipv4 "https://github.com/getsops/sops/releases/download/v${SOPS}/sops-v${SOPS}.linux.amd64" -o sops \
+	&& chmod +x sops \
+	&& sops --version --disable-version-check | grep " ${SOPS}"
 
 ###
 ### Ensure 1Password CLI version is present, linked and validated
diff --git a/Makefile b/Makefile
index 4c5e09a..e6c193a 100644
--- a/Makefile
+++ b/Makefile
@@ -14,6 +14,7 @@ ATLANTIS = '0.27.1'
 TERRAFORM = '1.7.1'
 TERRAGRUNT = '0.54.22'
 TERRAGRUNT_ATLANTIS_CONFIG = '1.16.0'
+SOPS = '3.8.1'
 ONE_PASSWORD_CLI = '2.24.0'
 
 pull:
@@ -26,6 +27,7 @@ build:
 		--build-arg TERRAFORM=$(TERRAFORM) \
 		--build-arg TERRAGRUNT=$(TERRAGRUNT) \
 		--build-arg TERRAGRUNT_ATLANTIS_CONFIG=$(TERRAGRUNT_ATLANTIS_CONFIG) \
+		--build-arg SOPS=$(SOPS) \
 		--build-arg ONE_PASSWORD_CLI=$(ONE_PASSWORD_CLI) \
 		-t $(IMAGE) -f $(DIR)/$(FILE) $(DIR)
 
@@ -34,6 +36,7 @@ test:
 	docker run --rm --entrypoint terraform ${IMAGE} --version | grep -E 'v$(TERRAFORM)$$'
 	docker run --rm --entrypoint terragrunt ${IMAGE} --version | grep -E 'v$(TERRAGRUNT)$$'
 	docker run --rm --entrypoint terragrunt-atlantis-config ${IMAGE} version | grep -E "$(TERRAGRUNT_ATLANTIS_CONFIG)$$"
+	docker run --rm --entrypoint sops ${IMAGE} --version --disable-version-check | grep -E '^sops $(SOPS)$$'
 	docker run --rm --entrypoint op ${IMAGE} --version | grep -E '$(ONE_PASSWORD_CLI)$$'
 
 tag:
diff --git a/README.md b/README.md
index d72e4ae..6c24aa5 100644
--- a/README.md
+++ b/README.md
@@ -17,15 +17,16 @@ For building you can overwrite your desired versions with the following three Ma
 * `TERRAFORM`
 * `TERRAGRUNT`
 * `TERRAGRUNT_ATLANTIS_CONFIG`
+* `SOPS`
 * `ONE_PASSWORD_CLI`
 
+e.g.
 ```
 make build
 make build TERRAFORM=1.7.1
 make build TERRAFORM=1.7.1 TERRAGRUNT=0.54.22
 make build TERRAFORM=1.7.1 TERRAGRUNT=0.54.22 ATLANTIS=0.27.1
-make build TERRAFORM=1.7.1 TERRAGRUNT=0.54.22 ATLANTIS=0.27.1 TERRAGRUNT_ATLANTIS_CONFIG=1.16.0
-make build TERRAFORM=1.7.1 TERRAGRUNT=0.54.22 ATLANTIS=0.27.1 TERRAGRUNT_ATLANTIS_CONFIG=1.16.0 ONE_PASSWORD_CLI=2.24.0
+make build TERRAFORM=1.7.1 TERRAGRUNT=0.54.22 ATLANTIS=0.27.1 SOPS=3.8.1
 ```
 
 ## Available images