Today we’re announcing a secret scanning integration between Tailscale and GitHub, the world’s largest source code host. This collaborative effort marks our fourth secret scanning partnership established as part of continual efforts to secure customers’ tailnets.
GitHub secret scanning now scans your source code, issues, pull requests, wikis, and other data for any Tailscale secrets. When a potential match is found, GitHub verifies the authenticity of the secret with Tailscale. If the secret is active, Tailscale will revoke the secret and notify users via email. We actually got this quietly kicked off a few months back in October — since then, it has discovered and revoked over 3,500 keys.
GitHub is now monitoring for five kinds of Tailscale secrets: API keys, Pre-authentication keys, OAuth client secrets, SCIM keys, and webhook keys. Keeping these keys safe is part and parcel to our shared security model.
Tailscale automatic secret scanning is available on any public GitHub repository and GitHub Enterprise Cloud with GitHub Advanced Security adds further capabilities for processing data in private repositories.
Sam Linville
