Scanning for exposed Tailscale secrets
Tailscale provides a variety of keys that are used for automation and integration. Treat these keys as secrets and handle them securely. If they are leaked, someone could take harmful action on your Tailscale network (known as a tailnet). To help mitigate accidental disclosure and prevent fraudulent use, Tailscale partners with the following companies to provide secret scanning of source code repositories and other data sources to find leaked Tailscale keys:
This article describes the scanning performed by these companies, and the actions taken when they believe they have discovered an exposed Tailscale secret.
The types of Tailscale keys that are in scope for secret scanning are:
- API access tokens (also known as "API keys")
- OAuth clients
- Pre-authentication keys (also known as "auth keys")
- System for Cross-domain Identity Management (SCIM) keys
- Webhook keys
If you are notified or otherwise believe that one of your Tailscale keys has been compromised, see Key and secret management for recommended actions.
GitGuardian
GitGuardian scans across your platforms to look for leaked secrets. If it detects a possible Tailscale secret, GitGuardian makes an API call to a Tailscale endpoint to determine whether the secret is an actual active secret. If the secret is active, GitGuardian contacts the user whose data source contains the secret.
The GitGuardian API call to the Tailscale endpoint does not modify your tailnet, it merely checks to see if a secret is an active Tailscale key.
GitGuardian does not notify Tailscale about any potentially exposed Tailscale secrets that GitGuardian detects.
GitHub
GitHub automatically scans all public repositories (including issues, pull requests, comments, and wikis) and all public NPM packages. If GitHub finds a Tailscale secret in those sources, GitHub makes an API call to a Tailscale endpoint to determine whether the secret is an active secret. If it is an active secret, Tailscale will revoke the secret and send an email to the security issues contact for the tailnet to which the leaked secret belongs.
If you have configured GitHub to scan your private repositories and issues and GitHub finds a Tailscale secret in those sources, GitHub makes an API call to a Tailscale endpoint to determine whether the secret is an active secret. If it is an active secret, Tailscale will revoke secret and send an email to the security issues contact for the tailnet to which the leaked secret belongs. Additionally, GitHub will report the leaked secret as an alert on the Security tab of the GitHub repository. GitHub's scanning of a private repository's issues includes scanning the titles, descriptions, and comments in open and historical issues.
For more information about GitHub secret scanning, see the GitHub About secret scanning article.
GitLab
GitLab provides GitLab Secret Detection, which when enabled scans all text files in your GitLab repository to find leaked secrets. GitLab uses a regular expression (also known as a regex) provided by Tailscale as the scan criteria for leaked secrets. If a secret that is believed to be a Tailscale secret is discovered, GitLab will report the leaked secret in a GitLab artifact report for the GitLab repository. GitLab does not notify Tailscale about any potentially exposed Tailscale secrets in GitLab repositories. For more information about GitLab secret scanning, see the GitLab Secret Detection article.
TruffleHog
TruffleHog scans across your platforms to look for leaked secrets. If it detects a possible Tailscale secret, TruffleHog makes an API call to a Tailscale endpoint to determine whether the secret is an actual active secret. If the secret is active, TruffleHog contacts the user whose data source contains the secret.
The TruffleHog API call to the Tailscale endpoint does not modify your tailnet, it merely checks to see if a secret is an active Tailscale key.
When Tailscale receives notice of an exposed secret from TruffleHog, Tailscale does not automatically revoke the secret.