Scanning for exposed Tailscale secrets

Tailscale provides a variety of keys that are used for automation and integration. Treat these keys as secrets and handle them securely. If they are leaked, someone could take harmful action on your Tailscale network (known as a tailnet). To help mitigate accidental disclosure and prevent fraudulent use, Tailscale partners with the following companies to provide secret scanning of source code repositories and other data sources to find leaked Tailscale keys:

• GitGuardian
• GitLab
• TruffleHog

This article describes the scanning performed by these companies, and the actions taken when they believe they have discovered an exposed Tailscale secret.

The types of Tailscale keys that are in scope for secret scanning are:

• API access tokens (also known as "API keys")
• OAuth clients
• Pre-authentication keys (also known as "auth keys")
• System for Cross-domain Identity Management (SCIM) keys
• Webhook keys

If you are notified or otherwise believe that one of your Tailscale keys has been compromised, see Key and secret management for recommended actions.

GitGuardian

GitGuardian scans across your platforms to look for leaked secrets. If it detects a possible Tailscale secret, GitGuardian makes an API call to a Tailscale endpoint to determine whether the secret is an actual active secret. If the secret is active, GitGuardian contacts the user whose data source contains the secret.

The GitGuardian API call to the Tailscale endpoint does not modify your tailnet, it merely checks to see if a secret is an active Tailscale key.

GitGuardian does not notify Tailscale about any potentially exposed Tailscale secrets that GitGuardian detects.

GitLab

GitLab provides GitLab Secret Detection, which when enabled scans all text files in your GitLab repository to find leaked secrets. GitLab uses a regular expression (also known as a regex) provided by Tailscale as the scan criteria for leaked secrets. If a secret that is believed to be a Tailscale secret is discovered, GitLab will report the leaked secret in a GitLab artifact report for the GitLab repository. GitLab does not notify Tailscale about any potentially exposed Tailscale secrets in GitLab repositories. For more information about GitLab secret scanning, see the GitLab Secret Detection article.

TruffleHog

TruffleHog scans across your platforms to look for leaked secrets. If it detects a possible Tailscale secret, TruffleHog makes an API call to a Tailscale endpoint to determine whether the secret is an actual active secret. If the secret is active, TruffleHog contacts the user whose data source contains the secret.

The TruffleHog API call to the Tailscale endpoint does not modify your tailnet, it merely checks to see if a secret is an active Tailscale key.

When Tailscale receives notice of an exposed secret from TruffleHog, Tailscale does not automatically revoke the secret.