RedRays Security Platform - ABAP Code Scanner
- Security Analysis: Advanced static code analysis with real-time vulnerability detection during ABAP code compilation and development cycles.
- Secure SAP Customizations: Automatically identify and remediate custom ABAP code vulnerabilities across programs, function modules, and class pools before production deployment.
- Multi-Threaded Performance: High-performance scanning with up to 30 concurrent threads, processing thousands of ABAP programs efficiently with real-time progress tracking.
- Vulnerability Management: Complete vulnerability lifecycle management with severity classification, status tracking, assignment workflows, and detailed remediation guidance.
End-to-End Security for Your Critical SAP Code
Big news! We're teaming up with Checkmarx to bring our specialized RedRays ABAP Code Scanner directly into their Checkmarx One platform. Now you don't need a separate system just for your SAP code. You can find and fix vulnerabilities in all your custom ABAP code - right alongside the rest of your applications - making SAP security easier, faster, and truly comprehensive.
Inside the Management Console
From a single web console you connect SAP systems, run and schedule scans, tune the checks, and triage every finding down to the vulnerable line of ABAP - with the same engine available to developers in the IDE.
Dashboard
Security Posture at a Glance
Land on a real-time overview of your SAP code security: an overall letter-grade security score, the severity breakdown across Critical, High, Medium and Low, and live scan status. Operational metrics (total scans, connected systems, scan success rate, high-priority issues) and vulnerability trends over time let you judge risk and progress without opening a single report.
Systems
Manage Your SAP Connections
Register and monitor every SAP system you scan. The Systems module lists each connection with its host, SID, instance, client, live connection status and last-check time. Test, edit, enable or disable a connection, or add a new system over SOAP/RFC - all from one screen.
Projects
Organize Work into Projects
Group scanning activity into projects that map to your teams, systems or release trains. Each project shows its programs/scans counts, total and unique vulnerabilities by severity, and creation and last-scan dates. Start a new scan or open results for any project in a single click.
Transport Requests
Scan Transport Requests Before Release
Shift security left to the change itself: browse transport requests, drill into the exact objects they carry, and scan only what is about to move. Catch insecure ABAP while it is still in a transport - long before it reaches production.
Scanning Profiles
Control Exactly What Gets Checked
Pick from ready-made profiles - Full Security Scan (OWASP Top 10 and all severities), Critical + High, single-severity profiles, or a fast Quick scan - and toggle individual checks on or off per profile. Align scanning depth with your compliance needs, security policy and performance budget.
Developers
Shift Left with the Eclipse Plugin
Let developers scan ABAP straight from their IDE. Issue a per-developer API key, plug it into the RedRays Eclipse plugin, and their scans land automatically under the “Developer Scans” project. Track each developer’s scan count, findings and last scan, and regenerate or revoke keys at any time.
Scan History
Track Every Scan Run
Review the complete scan history of a project: scan type, profile used, target system, scanned-object counts, vulnerabilities found, schedule and status. Re-scan unchanged code (reusing prior results), open a run’s findings, delete old runs, or upload a ZIP for offline analysis.
Findings
Browse and Triage Vulnerabilities
Work through a filterable list of every finding - vulnerability name, affected program or function, object type, severity, status and category. Search, sort and filter to focus on what matters, then retest or open any issue directly from the list.
Finding Detail
Pinpoint and Remediate
Open a finding to see the exact vulnerable source line highlighted in context, a plain-language description of the risk, and concrete remediation guidance. Technical metadata (object type, function pool, RFC-enabled, line number) and inline controls let you set severity and status, retest the issue, and review its retest history.
Reports
Per-Program Scan Reports
Get a per-program breakdown of any scan: scanned objects, vulnerable objects and findings by severity for each report or program. Prioritize the riskiest objects, share results with stakeholders, and export findings (including SARIF) into your existing workflows.
Problems We Solve
Security Code Issues
RedRays flags exploitable vulnerabilities in your custom ABAP - injection, missing authority checks, insecure RFC calls and more - the exact flaws attackers use to reach SAP data and business processes.
Vulnerable System Components
We scan every custom object across your landscape - Reports, Function Modules, Class Pools and Module Pools - to find the weak points attackers target, before they ever reach production.
Hidden Code Threats
We catch the subtle, hard-to-spot flaws - dynamic code execution, directory traversal, hardcoded credentials and backdoors - that hide in large ABAP code bases and slip past manual review.
Injection Attack Risks
Our scanner detects SQL, OS command and ABAP code injection, where unvalidated input flows into a database query, the operating system or generated code - the classic path to data theft and full compromise.
Code Quality Problems
We surface risky coding patterns and maintainability issues that make custom ABAP slow, fragile and costly to support - so your team fixes root causes, not just symptoms.
Compliance Security Gaps
We map findings to recognized standards such as OWASP and SAP security baselines and produce audit-ready evidence, so insecure code doesn't cause your company to fail its next compliance review.
Demo of Usage
