Secure Tailscale with cnspec
Scan a Tailscale tailnet against security and compliance best practices with cnspec.
Scan your Tailscale tailnet to find security risks before they become incidents. cnspec evaluates device authorization, key expiry, client versions, tailnet lock state, user idleness, and dozens of other Tailscale controls.
If you're new to cnspec, start with the Quickstart. For an overview of every SaaS service cnspec can scan, see the SaaS scanning overview.
Prerequisites
To scan a Tailscale tailnet with cnspec, you must have:
- cnspec installed on your workstation
- A Tailscale account with access to generate API tokens
Authenticate
cnspec connects to Tailscale using an API access token. To create one:
- Log in to the Tailscale admin console.
- Navigate to Settings > Keys.
- Generate a new API access token.
- Copy the token value.
You can pass the token on the command line with --token, or export it once and reuse it across commands:
export TAILSCALE_API_KEY=YOUR_TOKENUsing OAuth client credentials
For OAuth authentication:
cnspec shell tailscale --client-id YOUR_CLIENT_ID --client-secret YOUR_CLIENT_SECRETYou can also set these environment variables:
TAILSCALE_OAUTH_CLIENT_IDTAILSCALE_OAUTH_CLIENT_SECRETTAILSCALE_TAILNET(optional, for specifying the tailnet)
Connection options
| Option | Description |
|---|---|
--token | Tailscale API access token for authentication |
--client-id | Tailscale OAuth client ID for authentication |
--client-secret | Tailscale OAuth client secret for authentication |
--base-url | Base URL for the Tailscale API |
Verify with a quick Tailscale check
Confirm that cnspec can reach your tailnet by opening a cnspec shell:
cnspec shell tailscale --token YOUR_TOKENIf cnspec connects and shows a prompt, you're ready to scan.
Scan Tailscale
cnspec scan tailscale --token YOUR_TOKENWhen a scan completes, cnspec prints a summary of all the checks it ran, grouped by policy, along with a risk score from 0 (no risk) to 100 (highest risk). Failed checks include remediation guidance to help you fix issues. To learn more about reading scan results, read Understand cnspec Results.
Scan with the Mondoo Tailscale Security policy
Mondoo maintains an out-of-the-box Tailscale Security policy that checks device authorization, key expiry, update status, and more.
Mondoo Platform users: Enable the policy in your space. In the Mondoo App, go to Findings > Policies, search for "Tailscale", and add the policy. To learn more, read Manage policies in Mondoo Platform.
Open source users: Pass the policy bundle URL directly to cnspec:
cnspec scan tailscale --token YOUR_TOKEN \
--policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-tailscale-security.mql.yamlYou can also create your own policies to meet your specific requirements.
Explore and test checks interactively
Open a cnspec shell to discover resources and try out checks:
cnspec shell tailscale --token YOUR_TOKENRetrieve the tailnet name
cnspec> tailscale.tailnet
tailscale.tailnet: "example.com"List all devices
cnspec> tailscale.devices
tailscale.devices: [
0: tailscale.device name="laptop-1"
1: tailscale.device name="server-prod"
...
]List all users
cnspec> tailscale.users
tailscale.users: [
0: tailscale.user loginName="user@example.com"
...
]Retrieve configured DNS nameservers
cnspec> tailscale.nameserversExample security checks
Ensure all devices are authorized
cnspec> tailscale.devices.all(authorized == true)
[ok] value: trueEnsure key expiry is enabled on all devices
cnspec> tailscale.devices.all(keyExpiryDisabled == false)
[ok] value: trueEnsure all devices are running the latest client
cnspec> tailscale.devices.all(updateAvailable == false)
[ok] value: trueEnsure no devices have tailnet lock errors
cnspec> tailscale.devices.all(tailnetLockError == "")
[ok] value: trueEnsure no users are idle
cnspec> tailscale.users.none(status == "idle")
[ok] value: trueLearn more
- Tailscale Resource Pack Reference: every Tailscale resource and field cnspec can query
- Write Effective MQL: guide to authoring checks and queries