Scanning for exposed Tailscale secrets
Tailscale provides a variety of keys that are used for automation and integration. Treat these keys as secrets and handle them securely. If they are leaked, someone could take harmful action on your Tailscale network (known as a tailnet). To help mitigate accidental disclosure and prevent fraudulent use, Tailscale partners with TruffleHog to provide secret scanning of source code repositories and other data sources to find leaked Tailscale keys. This article describes the scanning performed by TruffleHog and the actions taken when TruffleHog believes it has discovered an exposed Tailscale secret.
The types of Tailscale keys that are in scope for secret scanning are:
- API access tokens (also known as “API keys”)
- OAuth clients
- Pre-authentication keys (also known as “auth keys”)
- System for Cross-domain Identity Management (SCIM) keys
- Webhook keys
If you are notified or otherwise believe that one of your Tailscale keys has been compromised, see Key and secret management for recommended actions.
TruffleHog scans across your platforms to look for leaked secrets. If it detects a possible Tailscale secret, TruffleHog makes an API call to a Tailscale endpoint to determine whether the secret is an actual active secret. If the secret is active, TruffleHog contacts the user whose data source contains the secret.
The TruffleHog API call to the Tailscale endpoint does not modify your tailnet, it merely checks to see if a secret is an active Tailscale key.
When Tailscale receives notice of an exposed secret from TruffleHog, Tailscale does not automatically revoke the secret.