Mondoo
Docs
SaaS

Secure Tailscale with cnspec

Scan a Tailscale tailnet against security and compliance best practices with cnspec.

Scan your Tailscale tailnet to find security risks before they become incidents. cnspec evaluates device authorization, key expiry, client versions, tailnet lock state, user idleness, and dozens of other Tailscale controls.

Prerequisites

To scan a Tailscale tailnet with cnspec, you must have:

Authenticate

cnspec connects to Tailscale using an API access token. To create one:

  1. Log in to the Tailscale admin console.
  2. Navigate to Settings > Keys.
  3. Generate a new API access token.
  4. Copy the token value.

You can pass the token on the command line with --token, or export it once and reuse it across commands:

export TAILSCALE_API_KEY=YOUR_TOKEN

Using OAuth client credentials

For OAuth authentication:

cnspec shell tailscale --client-id YOUR_CLIENT_ID --client-secret YOUR_CLIENT_SECRET

You can also set these environment variables:

  • TAILSCALE_OAUTH_CLIENT_ID
  • TAILSCALE_OAUTH_CLIENT_SECRET
  • TAILSCALE_TAILNET (optional, for specifying the tailnet)

Verify with a quick Tailscale check

Confirm that cnspec can reach your tailnet by opening a cnspec shell:

cnspec shell tailscale --token YOUR_TOKEN

If cnspec connects and shows a prompt, you're ready to scan.

Scan Tailscale

cnspec scan tailscale --token YOUR_TOKEN

Scan with the Mondoo Tailscale Security policy

Mondoo maintains an out-of-the-box Tailscale Security policy that checks device authorization, key expiry, update status, and more.

Mondoo Platform users: Enable the policy in your space. In the Mondoo Console, go to Findings > Policies, search for "Tailscale", and add the policy. To learn more, read Manage Policies.

Open source users: Pass the policy bundle URL directly to cnspec:

cnspec scan tailscale --token YOUR_TOKEN \
  --policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-tailscale-security.mql.yaml

You can also create your own policies to meet your specific requirements.

Explore and test checks interactively

Open a cnspec shell to discover resources and try out checks:

cnspec shell tailscale --token YOUR_TOKEN

Retrieve the tailnet name

cnspec> tailscale.tailnet
tailscale.tailnet: "example.com"

List all devices

cnspec> tailscale.devices
tailscale.devices: [
  0: tailscale.device name="laptop-1"
  1: tailscale.device name="server-prod"
  ...
]

List all users

cnspec> tailscale.users
tailscale.users: [
  0: tailscale.user loginName="user@example.com"
  ...
]

Retrieve configured DNS nameservers

cnspec> tailscale.nameservers

Example security checks

Ensure all devices are authorized

cnspec> tailscale.devices.all(authorized == true)
[ok] value: true

Ensure key expiry is enabled on all devices

cnspec> tailscale.devices.all(keyExpiryDisabled == false)
[ok] value: true

Ensure all devices are running the latest client

cnspec> tailscale.devices.all(updateAvailable == false)
[ok] value: true

Ensure no devices have tailnet lock errors

cnspec> tailscale.devices.all(tailnetLockError == "")
[ok] value: true

Ensure no users are idle

cnspec> tailscale.users.none(status == "idle")
[ok] value: true

Learn more

Snowflake

Scan Snowflake accounts against security and compliance best practices with cnspec.

Ansible

Scan Ansible playbooks for security misconfigurations and policy violations with cnspec.

On this page

PrerequisitesAuthenticateUsing OAuth client credentialsVerify with a quick Tailscale checkScan TailscaleScan with the Mondoo Tailscale Security policyExplore and test checks interactivelyRetrieve the tailnet nameList all devicesList all usersRetrieve configured DNS nameserversExample security checksEnsure all devices are authorizedEnsure key expiry is enabled on all devicesEnsure all devices are running the latest clientEnsure no devices have tailnet lock errorsEnsure no users are idleLearn more