Supply chain attack just dropped. You have 6 projects in Downloads. You don't know which one has your OpenAI key exposed. Tama tells you in 10 seconds.
tama -p ~/Downloads
tama -p C:\ -o report.txt
tama -p /home -f .env.production| # | Section |
|---|---|
| 1 | The Problem |
| 2 | How It Works |
| 3 | Tama vs GitLeaks / TruffleHog |
| 4 | What It Detects |
| 5 | Install |
| 6 | Usage |
| 7 | Output |
| 8 | Limitations |
You're building a SaaS. Your Downloads/ has multiple projects — each with its own .env, config.json, maybe a terraform.tfvars. You don't remember which project uses which credential.
A malicious pip package just made headlines. It hunts Downloads/ for .env files, browser-saved passwords, Stripe webhooks, OpenAI keys.
You need to know:
- Which project had the exposed file?
- What was in it? (so you know what to rotate)
- Is it only in Downloads, or somewhere else on your drive too?
Gitleaks won't help cause your projects aren't repos. TruffleHog won't help bcz there's no git history to scan. You need something that just walks your disk and shows you the files.
That's Tama.
Point it at any path. It walks the entire tree, matches against 80+ known sensitive filenames, and prints each file's full content + exact path live as it finds them.
Downloads/
├── project-alpha/.env ← 🚨 printed with full content
├── saas-v2/secrets.json ← 🚨 printed with full content
└── freelance/id_rsa ← 🚨 printed with full content
No regex. No network. No git. Single binary.
| Tama | GitLeaks | TruffleHog | |
|---|---|---|---|
| Scans local folders/drives | ✅ | ❌ | ❌ |
| Works without git | ✅ | ❌ | ❌ |
| Shows full file content | ✅ | ❌ line only | ❌ line only |
| Scans git history | ❌ | ✅ | ✅ |
| Supply chain incident response | ✅ built for this | ❌ | ❌ |
| Scan entire C: / D: drive | ✅ | ❌ | ❌ |
Single-file targeted sweep (-f) |
✅ | ❌ | ❌ |
| Zero dependencies | ✅ single binary | ❌ | ❌ |
Bottom line: GitLeaks/TruffleHog prevent secrets from entering git. Tama answers "where on my machine is an exposed file right now, and what's in it?"
By filename (80+ targets) View full list here 👉here👈🫠🫠
git clone https://github.com/gigachad80/Tama-Scanner
cd Tama-Scanner
go build -o tama main.goRequires Go 1.21+. Produces a single static binary.
| Flag | Description |
|---|---|
-p <path> |
Root path to scan (required) |
-f <filename> |
Scan for one specific file only |
-o <file> |
Save output to .txt report |
-h |
Help |
Common scenarios:
# Incident response — scan entire Downloads
tama -p ~/Downloads
# Don't know which drive — scan everything, save report
tama -p C:\ -o report.txt
# Targeted: find all .env.production files across all projects
tama -p ~/projects -f .env.production
# Server audit
tama -p /var/www -f wp-config.php ──────────────────────────────────────────────────────────────────
[1] FILE FOUND
──────────────────────────────────────────────────────────────────
Name : .env
Location : /home/user/Downloads/saas-prototype/.env
Size : 312 bytes
Modified : 2025-03-14 10:22:07
▼ CONTENT
············································································
1 OPENAI_API_KEY=sk-proj-xxxxxxxxxxxxxxxxxxxxx
2 STRIPE_WEBHOOK_SECRET=whsec_xxxxxxxxxxxxx
3 DATABASE_URL=postgresql://admin:password@localhost:5432/prod
············································································
- Matches by filename only - no content-regex scanning
- Files >5MB skipped, output truncated at 5000 lines
- Symlinks skipped
- No git history scanning (by design)
GNU GPL 3.0 License · Star it if it saved your keys.
Contact :
github.com/gigachad80 · pookielinuxuser@tutamail.com