# Phase 13: OSINT Package Registries, Containers & IaC - Context
**Gathered:** 2026-04-06
**Status:** Ready for planning
**Mode:** Auto-generated
## Phase Boundary
Adds ReconSource implementations for package registry searches (npm, PyPI, Crates.io, RubyGems, Maven, NuGet, Go Proxy), container image inspection (Docker Hub, Docker Compose files), and infrastructure-as-code sources (Kubernetes configs, Terraform Registry) to detect API keys embedded in published packages, images, and IaC definitions.
## Implementation Decisions
### Claude's Discretion
All implementation choices are at Claude's discretion. Follow the established Phase 10 pattern: each source implements recon.ReconSource, uses pkg/recon/sources/httpclient.go for HTTP, uses httptest for tests. Each source goes in its own file.
## Existing Code Insights
### Reusable Assets
- pkg/recon/sources/ — established source implementation pattern from Phase 10
- pkg/recon/sources/httpclient.go — shared retry HTTP client
- pkg/recon/sources/register.go — RegisterAll (extend per phase)
- pkg/recon/source.go — ReconSource interface
## Specific Ideas
- NpmSource — search npm registry for packages leaking API keys
- PyPISource — search PyPI for packages with embedded keys
- CratesIOSource — search Crates.io for Rust packages with key leaks
- RubyGemsSource — search RubyGems for gems with exposed keys
- MavenSource — search Maven Central for Java artifacts with keys
- NuGetSource — search NuGet for .NET packages with key exposure
- GoProxySource — search Go module proxy for modules with keys
- ComposeSource — scan Docker Compose files for hardcoded keys
- DockerHubSource — inspect public Docker Hub images for embedded keys
- KubernetesConfigSource — scan public Kubernetes configs/manifests for secrets
- TerraformRegistrySource — search Terraform Registry modules for leaked keys
## Deferred Ideas
None — straightforward source implementations.