TL;DR
Tailsnitch is an open-source tool that scans Tailscale tailnets for misconfigurations, permissive access controls and other security issues, running more than 50 checks across multiple categories. It can run read-only audits, output JSON for automation, and optionally remediate some findings via the Tailscale API or produce SOC 2 evidence exports.
What happened
A new utility called Tailsnitch inspects Tailscale tailnets for configuration and security problems. The tool runs 52 checks grouped into seven categories — access controls, authentication & keys, device posture, networking, SSH, logging/admin and DNS — and flags issues at severities from informational to critical. Operators can authenticate using a scoped OAuth client (recommended) or an API key; OAuth is preferred where available and permits finer-scoped, auditable access. Tailsnitch can produce JSON output for automation, filter results by severity or category, and run in CI/CD pipelines. An interactive fix mode lets users remediate certain items via the Tailscale API (with dry-run, auto-select and audit-log controls), while other findings include links to the Tailscale admin console for manual remediation. The tool also supports SOC 2 evidence exports and an ignore-file mechanism to suppress accepted risks during audits.
Why it matters
- Automates detection of common Tailscale misconfigurations, reducing manual review burden.
- Scoped OAuth and API key options enable integration with existing workflows while limiting permissions.
- Interactive fix mode can remove or modify resources via the Tailscale API, shortening remediation time for supported checks.
- SOC 2 evidence export helps teams collect per-resource test results and control mappings for audits.
Key facts
- Tailsnitch performs 52 security checks across seven categories (access, auth, device, network, ssh, log, dns).
- Critical checks include default allow-all ACL policies and overly broad tagOwners; high checks flag reusable auth keys, long expiry keys, pending Tailnet Lock signatures and funnel/subnet exposures.
- Authentication supports OAuth clients (recommended, with scoped permissions) and API keys; OAuth is suggested when both are configured.
- Interactive fix mode (–fix) can delete auth keys, remove tags from devices, delete stale devices and authorize pending devices; it supports –dry-run and –auto options.
- Outputs can be rendered as JSON for further processing and filtered by severity, category, or specific check IDs.
- SOC 2 evidence export is available in JSON or CSV and includes per-resource test results, Common Criteria code mappings and timestamps.
- Users can create a .tailsnitch-ignore file to suppress known, accepted risks; ignore-file processing can be disabled.
- Tailnet Lock checks (DEV-010, DEV-012) rely on the local tailscale CLI and reflect the auditing host's local daemon status when auditing remote tailnets.
What to watch next
- Project maintenance and release cadence: not confirmed in the source
- How future Tailscale API or policy changes will affect Tailsnitch compatibility: not confirmed in the source
- Plans for enterprise support, commercial offerings or hosted versions: not confirmed in the source
Quick glossary
- Tailnet: A private network of devices managed by Tailscale, using its identity-based mesh VPN.
- ACL (Access Control List): A set of rules that defines which users or devices can access which services or resources.
- OAuth client: A mechanism to grant scoped, revocable access to APIs on behalf of users or services without sharing passwords.
- Auth key: A token used to add devices to a Tailnet; can be single-use or reusable and may have expirations.
- SOC 2: An audit framework for service organizations that focuses on controls relevant to security, availability, processing integrity, confidentiality and privacy.
Reader FAQ
Will Tailsnitch modify my tailnet automatically?
Tailsnitch does not change resources unless you run it with –fix; fix mode is explicit and supports dry-run and auto-select options.
What authentication methods does Tailsnitch support?
It supports OAuth clients (recommended, with fine-grained scopes) and API keys; OAuth is used when both are configured.
Can Tailsnitch produce compliance evidence for audits?
Yes. It can export SOC 2 evidence in JSON or CSV, including per-resource results, control mappings and timestamps.
Is there a hosted or commercial version of Tailsnitch?
not confirmed in the source
Tailsnitch A security auditor for Tailscale configurations. Tailsnitch scans your tailnet for 50+ misconfigurations, overly permissive access controls, and security best practice violations. Quick Start # 1. Set your Tailscale…
Sources
- Show HN: Tailsnitch – A security auditor for Tailscale
- Security
- An open source, self-hosted implementation of the …
- Tailscale Security – A Threat-Based Hardening Guide for …
Related posts
- Pentagon Seeks to Demote Senator Mark Kelly Over Video Labeled ‘Seditious’
- Cybercrime Crew Nets Subpoena After Falling Into Resecurity Honeypot
- Hacktivist erases three white supremacist sites live at Chaos Communication Congress