diff --git a/README.md b/README.md
index b771455..60a95f2 100644
--- a/README.md
+++ b/README.md
@@ -138,7 +138,7 @@ Add a finding fingerprint to `.envguard-ignore` in the repository root.
 
 ### `envguard version`
 
-Print the build version injected at compile time.
+Print the resolved build or module version.
 
 ## Allowlist Workflow
 
diff --git a/main.go b/main.go
index 635e82e..25df5ae 100644
--- a/main.go
+++ b/main.go
@@ -11,7 +11,7 @@ import (
 var version = "dev"
 
 func main() {
-	if err := cmd.Execute(version); err != nil {
+	if err := cmd.Execute(resolveVersion(version)); err != nil {
 		if !errors.Is(err, cmd.ErrFindings) {
 			fmt.Fprintln(os.Stderr, err)
 		}
diff --git a/version.go b/version.go
new file mode 100644
index 0000000..a54506f
--- /dev/null
+++ b/version.go
@@ -0,0 +1,21 @@
+package main
+
+import "runtime/debug"
+
+var readBuildInfo = debug.ReadBuildInfo
+
+// resolveVersion prefers an injected build version, then falls back to module build info.
+func resolveVersion(injected string) string {
+	if injected != "" && injected != "dev" {
+		return injected
+	}
+
+	info, ok := readBuildInfo()
+	if !ok {
+		return injected
+	}
+	if info.Main.Version == "" || info.Main.Version == "(devel)" {
+		return injected
+	}
+	return info.Main.Version
+}
diff --git a/version_test.go b/version_test.go
new file mode 100644
index 0000000..15aaba2
--- /dev/null
+++ b/version_test.go
@@ -0,0 +1,40 @@
+package main
+
+import (
+	"runtime/debug"
+	"testing"
+)
+
+func TestResolveVersionPrefersInjectedVersion(t *testing.T) {
+	t.Parallel()
+
+	if got := resolveVersion("v1.2.3"); got != "v1.2.3" {
+		t.Fatalf("resolveVersion() = %q, want %q", got, "v1.2.3")
+	}
+}
+
+func TestResolveVersionFallsBackToInjectedDevWhenNoBuildInfoVersion(t *testing.T) {
+	t.Parallel()
+
+	if got := resolveVersion("dev"); got != "dev" {
+		t.Fatalf("resolveVersion() = %q, want %q", got, "dev")
+	}
+}
+
+func TestResolveVersionFallsBackToBuildInfoVersion(t *testing.T) {
+	original := readBuildInfo
+	readBuildInfo = func() (*debug.BuildInfo, bool) {
+		return &debug.BuildInfo{
+			Main: debug.Module{
+				Version: "v0.1.1",
+			},
+		}, true
+	}
+	t.Cleanup(func() {
+		readBuildInfo = original
+	})
+
+	if got := resolveVersion("dev"); got != "v0.1.1" {
+		t.Fatalf("resolveVersion() = %q, want %q", got, "v0.1.1")
+	}
+}