feature: Code-Pathfinder online hosted sandbox playground

README.md

@@ -8,13 +8,16 @@ About
 Code Pathfinder, the open-source alternative to GitHub CodeQL. Built for advanced structural search, derive insights, find vulnerabilities in code.
 
 [![Build and Release](https://github.com/shivasurya/code-pathfinder/actions/workflows/build.yml/badge.svg)](https://github.com/shivasurya/code-pathfinder/actions/workflows/build.yml) [![Go Report Card](https://goreportcard.com/badge/github.com/shivasurya/code-pathfinder/sourcecode-parser)](https://goreportcard.com/report/github.com/shivasurya/code-pathfinder/sourcecode-parser)
-[![MIT License](https://img.shields.io/github/license/shivasurya/code-pathfinder)](https://github.com/shivasurya/code-pathfinder/blob/main/LICENSE)
+[![AGPL-3.0 License](https://img.shields.io/github/license/shivasurya/code-pathfinder)](https://github.com/shivasurya/code-pathfinder/blob/main/LICENSE)
 [![Discord](https://img.shields.io/discord/1259511338183557120?logo=discord&label=discord&utm_source=github)](https://discord.gg/xmPdJC6WPX)
 [![codecov](https://codecov.io/gh/shivasurya/code-pathfinder/graph/badge.svg?token=VYQLI49TF4)](https://codecov.io/gh/shivasurya/code-pathfinder)
+![Code-Pathfinder Playground](https://badgen.net/static/Online%20Playground/live/cyan?icon=terminal)
 </div>
 
 ## :tv: Demo
 
+Try interactive online playground [here](https://play.codepathfinder.dev/).
+
 ```bash
 docker run --rm -v "./src:/src" shivasurya/code-pathfinder:stable-latest ci --project /src/code-pathfinder/test-src --ruleset cpf/java
 ```

docs/src/content/docs/atlas/index.mdx

@@ -9,6 +9,9 @@ hero:
       link: /quickstart
       icon: right-arrow
       variant: primary
+    - text: Playground
+      link: https://play.codepathfinder.dev
+      icon: forward-slash
     - text: Documentation
       link: /overview
       icon: open-book

docs/src/content/docs/blog/code-pathfinder-closure-table-hierarchical-queries.mdx

@@ -159,7 +159,7 @@ import { Card } from '@astrojs/starlight/components';
 
     ### Closing Note
 
-    Discover [Code-PathFinder](https://github.com/shivasurya/code-pathfinder), the open-source alternative to CodeQL—a powerful tool engineered to detect security vulnerabilities. Unlike grep-based scanners such as Semgrep or ast-grep, Code-PathFinder enables fine-tuning of queries to more effectively eliminate false positives, thanks to its advanced taint analysis and source-to-sink tracing capabilities. Give it a try, and if you encounter any bugs or have suggestions, please file an issue.
+    Discover [Code-PathFinder](https://github.com/shivasurya/code-pathfinder), the open-source alternative to CodeQL—a powerful tool engineered to detect security vulnerabilities. Unlike grep-based scanners such as ast-grep, Code-PathFinder enables fine-tuning of queries to more effectively eliminate false positives, thanks to its advanced taint analysis and source-to-sink tracing capabilities. Give it a try, and if you encounter any bugs or have suggestions, please file an issue.
       </div>
   </Card>
 

docs/src/content/docs/blog/finding-webview-misconfigurations-android.mdx

@@ -132,7 +132,7 @@ import { Card } from '@astrojs/starlight/components';
       ### Conclusion
 
       While [Code-PathFinder, the open-source alternative to CodeQL](https://codepathfinder.dev), is a powerful tool for finding security vulnerabilities in Android applications, one can always tweak the queries to filter out false positives
-      more effectively compared to grep-based scanners like `Semgrep` or `ast-grep`. This is because the taint analysis and source-to-sink analysis are far more powerful than grep-based scanners. Give it a try and file an [issue](https://github.com/shivasurya/code-pathfinder/issues)
+      more effectively compared to grep-based scanners like `ast-grep`. This is because the taint analysis and source-to-sink analysis are far more powerful than grep-based scanners. Give it a try and file an [issue](https://github.com/shivasurya/code-pathfinder/issues)
       if you find any bugs or have any suggestions.
 
 

docs/src/content/docs/index.mdx

@@ -9,15 +9,15 @@ hero:
       link: /quickstart
       icon: right-arrow
       variant: primary
+    - text: Playground
+      link: https://play.codepathfinder.dev
+      icon: forward-slash
     - text: Browse Rules
       link: /atlas
       icon: open-book
     - text: Tech Blog
       link: /blog
       icon: pen
-    - text: Get Source
-      link: https://github.com/shivasurya/code-pathfinder
-      icon: github
 ---
 
 import { Card, CardGrid, Icon } from '@astrojs/starlight/components';

playground-Dockerfile

@@ -0,0 +1,45 @@
+# Use Wolfi as base image with Go support for builder stage
+FROM cgr.dev/chainguard/go:latest as builder
+
+# Set working directory
+WORKDIR /build
+
+# First, copy the sourcecode-parser module
+COPY ./sourcecode-parser /build/sourcecode-parser
+
+# Copy the playground module
+COPY ./playground /build/playground
+
+# Set working directory to playground
+WORKDIR /build/playground
+
+# Build the application with security flags
+ENV CGO_ENABLED=1
+RUN go build -o playground
+
+# Use distroless base image for minimal attack surface
+FROM cgr.dev/chainguard/wolfi-base:latest
+
+# Create non-root user
+USER nonroot:nonroot
+
+# Set working directory
+WORKDIR /app
+
+# Copy the binary from builder
+COPY --from=builder --chown=nonroot:nonroot /build/playground/playground /app/
+
+# Copy static files
+COPY --from=builder --chown=nonroot:nonroot /build/playground/public/static /app/public/static
+
+# Create and set permissions for temporary directory
+RUN mkdir -p /tmp/code-analysis && \
+    chmod 0750 /tmp/code-analysis && \
+    chown nonroot:nonroot /tmp/code-analysis
+
+# Expose port 8080
+EXPOSE 8080
+
+# Run the application with reduced capabilities
+CMD ["/app/playground"]
+

playground/.dockerignore

@@ -0,0 +1,32 @@
+# Version control
+.git
+.gitignore
+
+# Go build artifacts
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+*.test
+*.out
+
+# IDE directories
+.idea/
+.vscode/
+
+# Temporary files
+*.tmp
+*.temp
+tmp/
+temp/
+
+# Docker files
+Dockerfile
+.dockerignore
+
+# Debug files
+debug/
+
+# Dependencies
+/vendor/

playground/README.md

@@ -0,0 +1,26 @@
+### Code-Pathfinder Playground
+
+The Code-Pathfinder Playground is a online interactive app that allows you to analyze code and execute Code-Pathfinder (CodeQL) queries on it.
+
+![Code-Pathfinder Playground](https://badgen.net/static/Online%20Playground/live/cyan?icon=terminal)
+
+### Quickstart
+
+In the playground directory, run:
+
+```shell
+$ go run main.go
+```
+
+This will start the playground server. Visit `http://localhost:8080` to access the playground.
+
+### Docker Build
+
+From the root directory, run:
+
+```shell
+$ podman build --platform linux/amd64 -t docker.io/shivasurya/cpf-playground:latest . -f playground-Dockerfile
+```
+
+This will build the playground Docker image.
+

playground/go.mod

@@ -0,0 +1,19 @@
+module github.com/shivasurya/code-pathfinder/playground
+
+go 1.24.1
+
+replace github.com/shivasurya/code-pathfinder/sourcecode-parser => ../sourcecode-parser
+
+require (
+	github.com/google/uuid v1.6.0
+	github.com/shivasurya/code-pathfinder/sourcecode-parser v0.0.0-00010101000000-000000000000
+	github.com/smacker/go-tree-sitter v0.0.0-20240827094217-dd81d9e9be82
+)
+
+require (
+	github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
+	github.com/expr-lang/expr v1.16.9 // indirect
+	github.com/joho/godotenv v1.5.1 // indirect
+	github.com/posthog/posthog-go v1.2.24 // indirect
+	golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 // indirect
+)

playground/go.sum

@@ -0,0 +1,22 @@
+github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYWrPrQ=
+github.com/antlr4-go/antlr/v4 v4.13.1/go.mod h1:GKmUxMtwp6ZgGwZSva4eWPC5mS6vUAmOABFgjdkM7Nw=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/expr-lang/expr v1.16.9 h1:WUAzmR0JNI9JCiF0/ewwHB1gmcGw5wW7nWt8gc6PpCI=
+github.com/expr-lang/expr v1.16.9/go.mod h1:8/vRC7+7HBzESEqt5kKpYXxrxkr31SaO8r40VO/1IT4=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
+github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/posthog/posthog-go v1.2.24 h1:A+iG4saBJemo++VDlcWovbYf8KFFNUfrCoJtsc40RPA=
+github.com/posthog/posthog-go v1.2.24/go.mod h1:uYC2l1Yktc8E+9FAHJ9QZG4vQf/NHJPD800Hsm7DzoM=
+github.com/smacker/go-tree-sitter v0.0.0-20240827094217-dd81d9e9be82 h1:6C8qej6f1bStuePVkLSFxoU22XBS165D3klxlzRg8F4=
+github.com/smacker/go-tree-sitter v0.0.0-20240827094217-dd81d9e9be82/go.mod h1:xe4pgH49k4SsmkQq5OT8abwhWmnzkhpgnXeekbx2efw=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 h1:yqrTHse8TCMW1M1ZCP+VAR/l0kKxwaAIqN/il7x4voA=
+golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8/go.mod h1:tujkw807nyEEAamNbDrEGzRav+ilXA7PCRAd6xsmwiU=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

playground/main.go

@@ -0,0 +1,42 @@
+// Package main implements a web server for analyzing Java source code and executing CodeQL queries.
+// It provides endpoints for code analysis, AST parsing, and visualization.
+package main
+
+import (
+	"log"
+	"net/http"
+	"os"
+	"strings"
+
+	"github.com/shivasurya/code-pathfinder/playground/pkg/handlers"
+	"github.com/shivasurya/code-pathfinder/playground/pkg/middleware"
+)
+
+func main() {
+	// Create a new mux for better control over middleware
+	mux := http.NewServeMux()
+
+	// Serve static files with security and logging middleware
+	fs := http.FileServer(http.Dir("public/static"))
+	mux.Handle("/", middleware.LoggingMiddleware(fs))
+
+	// API endpoints with security and logging middleware
+	mux.Handle("/api/analyze", middleware.LoggingMiddleware(http.HandlerFunc(handlers.AnalyzeHandler)))
+	mux.Handle("/api/parse", middleware.LoggingMiddleware(http.HandlerFunc(handlers.ParseHandler)))
+
+	// Get port from environment variable or use default
+	port := os.Getenv("PORT")
+	if port == "" {
+		port = "8080"
+	}
+
+	// Ensure port starts with :
+	if !strings.HasPrefix(port, ":") {
+		port = ":" + port
+	}
+
+	log.Printf("Starting server on port %s", port)
+	if err := http.ListenAndServe(port, mux); err != nil {
+		log.Fatalf("Server failed to start: %v", err)
+	}
+}