Tailsnitch: Open-source security auditor to scan Tailscale tailnets

TL;DR

Tailsnitch is a command-line auditor that scans Tailscale tailnets for configuration errors, insecure keys, and access-control issues. It runs dozens of checks, can export JSON/SOC 2 evidence, and offers an interactive fix mode that uses the Tailscale API.

What happened

A new open-source tool called Tailsnitch inspects Tailscale tailnets for security problems and policy mistakes. The CLI performs 52 checks across seven categories—including access controls, authentication and keys, devices, networking, SSH, logging, and DNS—and surfaces critical, high, medium and informational findings. Users can authenticate via OAuth clients (recommended, with scoped access) or API keys, run audits locally or against a specified tailnet, export results as JSON or CSV, and integrate scans into CI/CD pipelines. The tool includes an interactive "fix" mode that can remediate certain issues through the Tailscale API (with preview and auto-select options) and can produce SOC 2 evidence reports mapped to common control codes. Administrators can suppress accepted risks with a .tailsnitch-ignore file and tailor output with filters such as severity, category, and specific checks.

Why it matters

• Automates discovery of misconfigurations and overly permissive access rules that could expose a tailnet.
• Built-in remediation options let teams reduce time between detection and corrective action by calling the Tailscale API.
• SOC 2 evidence export helps map audit results to compliance controls for formal assessments.
• JSON and CLI-friendly output enable integration into CI/CD pipelines and downstream tooling for continuous security checks.

Key facts

• Performs 52 security checks grouped into seven categories (access, auth, device, network, ssh, log, dns).
• Critical/high checks include default 'allow all' ACLs, reusable or long-expiry auth keys, tag misconfigurations, and Tailnet Lock status.
• Authentication supports two methods: OAuth client (preferred, scoped) and traditional API keys (inherit creator's permissions).
• Interactive fix mode can delete auth keys, remove device tags, delete stale devices, authorize pending devices, and more via the Tailscale API.
• Can export full reports as JSON, filter and format results with jq, and output SOC 2 evidence as JSON or CSV.
• Administrators can ignore known, accepted risks using a .tailsnitch-ignore file (configurable locations or disabled).
• Command flags include –json, –severity, –category, –checks, –fix, –soc2, –tailnet, –ignore-file, and others.
• Tailnet Lock checks require access to a local tailscale CLI; when auditing a remote tailnet their results reflect the local machine's daemon status.
• Installable via pre-built binaries from GitHub Releases, go install, or building from source.

What to watch next

• not confirmed in the source
• not confirmed in the source
• not confirmed in the source

Quick glossary

• tailnet: A private network of devices connected via Tailscale under a single administrative domain.
• ACL (Access Control List): A set of rules that defines which users or devices are permitted to access specific resources or services.
• OAuth client: An application credential pair that grants scoped, auditable access to APIs without using a user's personal API key.
• SOC 2: A compliance framework and audit standard focused on security, availability, processing integrity, confidentiality, and privacy controls.
• Ephemeral key: A short-lived credential intended to limit exposure if compromised by expiring automatically after a brief period.

Reader FAQ

How does Tailsnitch authenticate to Tailscale?
It supports OAuth clients (recommended for scoped, auditable access) and API keys that inherit the creator's permissions.

Can Tailsnitch automatically fix issues it finds?
Yes. An interactive –fix mode can remediate certain findings via the Tailscale API, with dry-run and auto-select options; some actions still require confirmation.

Does it produce compliance evidence?
Yes. Tailsnitch can export SOC 2 evidence reports mapped to common control codes in JSON or CSV formats.

Are Tailnet Lock checks performed remotely?
Tailnet Lock checks require the local tailscale CLI and, when auditing a remote tailnet, reflect the status of the local daemon rather than the audited tailnet.

Tailsnitch A security auditor for Tailscale configurations. Tailsnitch scans your tailnet for 50+ misconfigurations, overly permissive access controls, and security best practice violations. Quick Start # 1. Set your Tailscale…

Sources

• Show HN: Tailsnitch – A Security Auditor for Tailscale
• Tailscale Security – A Threat-Based Hardening Guide for …
• Scanning for exposed Tailscale secrets
• Security

Related posts

• EU will not roll back digital rules over US objections, says bloc
• Starlink offers a free month in Venezuela despite no local service availability
• Trump repeats bid to annex Greenland, drawing sharp Danish rebukes