January 5, 2026

Quarantine vs YOLO: tailnet drama tonight

Article URL →HN comments →

Show HN: Tailsnitch – A Security Auditor for Tailscale

New Tailsnitch scans your Tailscale for risky mistakes—admins cheer, skeptics side‑eye the 'YOLO' fixes

TLDR: Tailsnitch audits Tailscale setups, flags 50+ risky settings, and can auto‑fix some issues while exporting SOC 2 evidence. Comments split between relief over taming sprawling policies and skepticism about running a downloaded binary; many want Tailscale to make this built‑in and ask about Headscale support.

Meet Tailsnitch, a new tool that scans your Tailscale private network for 50+ risky settings, loose access rules, and missed best practices, then can even fix some issues via an interactive “fix mode.” It supports safer OAuth access, old‑school API keys, and spits out SOC 2 evidence for auditors.

The crowd is hyped but divided. One top comment laughs then winces at the install step that tells macOS users to remove quarantine from a downloaded binary—cue the “random binary” jokes and sighs about trust. Others want “custom checks” and a big friendly “scan now” button baked into Tailscale itself.

Admins of fast‑growing teams cheered, confessing ACL policy files are now “terrifyingly long” and they constantly worry a tag is too open. The tool’s cheeky “yolo” fix flag sparked memes about pressing the red button, while pragmatists ask if it covers this issue and whether it works with Headscale.

Under the fun is a serious split: convenience versus caution. Fans love one‑click audits and SOC 2 exports; skeptics question running a third‑party binary against core infrastructure. If Tailsnitch delivers—and Tailscale embraces the idea—this could become the safety net for tailnets everywhere. Either way, the comments are on fire. Bring popcorn now.

Key Points

  • Tailsnitch audits Tailscale tailnets for 50+ misconfigurations, permissive access, and best-practice violations.
  • Supports OAuth (recommended) and API key authentication; lists required scopes for read-only and fix modes.
  • Provides installation via GitHub Releases, Go install, or building from source, with macOS quarantine removal guidance.
  • Includes an interactive fix mode with dry-run and auto options; can delete/replace auth keys, manage device tags, remove stale devices, and authorize pending devices.
  • Exports SOC 2 evidence (JSON/CSV) with per-resource results, Common Criteria mappings, statuses, and timestamps.

Hottest takes

“should probably not be a random binary that you also tell users to strip quarantine off of” — Operyl
“is there any reason or incentive for Tailscale to not run something like this for every user” — dpoloncsak
“the ACL file has become terrifyingly long” — Fiveplus

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.