From c1f1e28b1ad1df60cc878578fadcc4857f7ae140 Mon Sep 17 00:00:00 2001
From: smakarim <imsyedkarim@gmail.com>
Date: Sat, 6 Jun 2026 20:45:21 +0500
Subject: [PATCH] chore: target go 1.22, add CLI long help and SECURITY policy

---
 SECURITY.md          | 20 ++++++++++++++++++++
 cmd/revenant/main.go |  7 +++++++
 go.mod               |  5 +++--
 3 files changed, 30 insertions(+), 2 deletions(-)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..6eb8fca
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,20 @@
+# Security Policy
+
+## Reporting a vulnerability in Revenant
+
+If you find a security issue in Revenant itself, please report it privately rather than opening
+a public issue. Open a draft advisory at
+https://github.com/smakarim/revenant/security/advisories/new and include steps to reproduce and
+the affected commit or version. You will get a response as soon as possible.
+
+## Using Revenant responsibly
+
+Revenant is for authorized security testing and for assets you own or are permitted to test.
+When it surfaces secrets in third-party repositories, follow responsible disclosure: report the
+exposure privately to the affected owner so they can rotate the credential, and do not access or
+use any secret you find.
+
+## Supported versions
+
+Revenant is pre-1.0. Fixes land on the latest `main`. Please test against `main` before
+reporting.
diff --git a/cmd/revenant/main.go b/cmd/revenant/main.go
index 806ab97..a3a5f0c 100644
--- a/cmd/revenant/main.go
+++ b/cmd/revenant/main.go
@@ -58,6 +58,13 @@ func main() {
 	root := &cobra.Command{
 		Use:   "revenant",
 		Short: "Recover deleted/force-pushed GitHub commits and find live secrets",
+		Long: `Revenant recovers deleted and force-pushed GitHub commits and scans them for live
+secrets. In one run it also scans reachable history, public gists, and, with --dork,
+all of GitHub via code search. Findings are verified with TruffleHog, attributed to the
+author who committed them, and ranked by blast radius.
+
+Requires TruffleHog on your PATH. A token (--tokens) is recommended for the activity log
+and required for --dork. See https://github.com/smakarim/revenant for details.`,
 		RunE: func(cmd *cobra.Command, args []string) error {
 			fmt.Fprint(os.Stderr, banner)
 			spec, err := buildSpec(org, user, repos, reposFile)
diff --git a/go.mod b/go.mod
index 4e8cce8..b6de3d6 100644
--- a/go.mod
+++ b/go.mod
@@ -1,9 +1,10 @@
 module github.com/smakarim/revenant
 
-go 1.26.4
+go 1.22
+
+require github.com/spf13/cobra v1.10.2
 
 require (
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/spf13/cobra v1.10.2 // indirect
 	github.com/spf13/pflag v1.0.9 // indirect
 )