Show HN:Tailsnitch – Tailscale 的安全審計工具
Tailsnitch 是一款針對 Tailscale 設定的新安全審計工具,旨在掃描 tailnet 中的錯誤配置、過於寬鬆的存取控制以及違反安全最佳實踐的情況。它提供 OAuth 和 API 金鑰兩種驗證方式,並包含互動式修復模式。
Navigation Menu
Search code, repositories, users, issues, pull requests...
Provide feedback
We read every piece of feedback, and take your input very seriously.
Saved searches
Use saved searches to filter your results more quickly
To see all available qualifiers, see our documentation.
A security auditor for Tailscale configurations. Scans your tailnet for misconfigurations, overly permissive access controls, and security best practice violations.
Uh oh!
There was an error while loading. Please reload this page.
Adversis/tailsnitch
Folders and files
Latest commit
History
Repository files navigation
Tailsnitch
A security auditor for Tailscale configurations. Tailsnitch scans your tailnet for 50+ misconfigurations, overly permissive access controls, and security best practice violations.
Quick Start
Installation
Download Pre-built Binary
Download the latest release from GitHub Releases.
macOS users: Remove quarantine attribute after download:
Install via Go
Build from Source
Authentication
Tailsnitch supports two authentication methods. OAuth is preferred when both are configured.
Option 1: OAuth Client (Recommended)
OAuth clients provide scoped, auditable access that doesn't expire when employees leave.
Create an OAuth client at: https://login.tailscale.com/admin/settings/oauth
Required scopes for read-only audit:
Additional scopes for fix mode:
Option 2: API Key
API keys operate as the user who created them and inherit that user's permissions.
Create an API key at: https://login.tailscale.com/admin/settings/keys
Usage Examples
Basic Audit
Filter Results
Interactive Fix Mode
Fix mode allows you to remediate issues directly via the Tailscale API:
API-fixable items:
Fix mode also provides direct links to the admin console for issues that require manual intervention.
SOC 2 Evidence Export
Generate evidence reports for SOC 2 audits with Common Criteria (CC) control mappings:
The SOC 2 report includes:
Example CSV output:
Ignore Known Risks
Create a .tailsnitch-ignore file to suppress findings for known-accepted risks:
Ignore file locations (checked in order):
JSON Export and Processing
Command Reference
Security Checks
Tailsnitch performs 52 security checks across 7 categories. See docs/CHECKS.md for detailed documentation of each check.
Critical Severity
High Severity
Medium Severity
Informational
Checks for logging configuration, DNS settings, user roles, and manual verification items.
Output Example
Tailnet Lock Checks
Tailnet Lock checks (DEV-010, DEV-012) require the local tailscale CLI and run against the local machine's daemon. When auditing a remote tailnet via --tailnet, these checks reflect local status, not the audited tailnet.
CI/CD Integration
Run Tailsnitch in CI/CD pipelines to catch security regressions:
References
License
MIT
Contributing
See CONTRIBUTING.md for guidelines.
About
A security auditor for Tailscale configurations. Scans your tailnet for misconfigurations, overly permissive access controls, and security best practice violations.
Resources
Contributing
Uh oh!
There was an error while loading. Please reload this page.
Stars
Watchers
Forks
Releases
4
Packages
0
Languages
Footer
Footer navigation
相關文章