Scanning for exposed Tailscale secrets

Tailscale provides a variety of keys that are used for automation and integration. Treat these keys as secrets and handle them securely. If they are leaked, someone could take harmful action on your Tailscale network (known as a tailnet). To help mitigate accidental disclosure and prevent fraudulent use, Tailscale partners with TruffleHog and GitGuardian to provide secret scanning of source code repositories and other data sources to find leaked Tailscale keys. This article describes the scanning performed by TruffleHog and GitGuardian, and the actions taken when they believe they have discovered an exposed Tailscale secret.

The types of Tailscale keys that are in scope for secret scanning are:

If you are notified or otherwise believe that one of your Tailscale keys has been compromised, see Key and secret management for recommended actions.

Secret scanning is available for all plans.

TruffleHog

TruffleHog scans across your platforms to look for leaked secrets. If it detects a possible Tailscale secret, TruffleHog makes an API call to a Tailscale endpoint to determine whether the secret is an actual active secret. If the secret is active, TruffleHog contacts the user whose data source contains the secret.

The TruffleHog API call to the Tailscale endpoint does not modify your tailnet, it merely checks to see if a secret is an active Tailscale key.

When Tailscale receives notice of an exposed secret from TruffleHog, Tailscale does not automatically revoke the secret.

GitGuardian

GitGuardian scans across your platforms to look for leaked secrets. If it detects a possible Tailscale secret, GitGuardian makes an API call to a Tailscale endpoint to determine whether the secret is an actual active secret. If the secret is active, GitGuardian contacts the user whose data source contains the secret.

The GitGuardian API call to the Tailscale endpoint does not modify your tailnet, it merely checks to see if a secret is an active Tailscale key.

GitGuardian does not notify Tailscale about any potentially exposed Tailscale secrets that GitGuardian detects.

On This Page