Show HN: Tailsnitch – A Security Auditor for Tailscale

As zero‑trust networking gains traction, Tailscale has emerged as a leading managed WireGuard‑based mesh solution for remote workforces. Its ease of deployment and automatic key rotation make it attractive, but the very flexibility that powers rapid adoption also introduces configuration drift and hidden privilege pathways. Enterprises that rely on Tailscale for inter‑service connectivity must therefore adopt continuous verification to ensure that ACLs, device tags, and auth‑key policies remain aligned with least‑privilege principles. Without dedicated tooling, misconfigurations can linger unnoticed, expanding the attack surface.

Tailsnitch fills that gap by providing a command‑line auditor that scans a tailnet for more than fifty predefined security checks across access control, authentication, device management, and network exposure. It supports both OAuth client credentials and API keys, allowing organizations to enforce scoped, auditable access that survives employee turnover. Findings are categorized by severity, and the tool offers an interactive ‘--fix’ mode that can automatically remediate low‑risk issues or guide administrators through manual corrections. Export options include JSON, CSV, and SOC 2‑compatible evidence files, simplifying compliance reporting for auditors and regulators.

Because Tailsnitch runs on any platform with Go or a pre‑built binary, it integrates seamlessly into existing DevOps pipelines. A typical CI/CD step invokes the auditor, parses the JSON output, and fails the build if critical or high‑severity findings exceed a defined threshold, turning security misconfigurations into hard‑stop checks. This proactive stance not only reduces remediation costs but also aligns with industry frameworks such as ISO 27001 and NIST 800‑53, where continuous monitoring is a core requirement. As more organizations adopt mesh VPNs, tools like Tailsnitch will become essential components of a robust zero‑trust strategy.