Skip links
scan findings analyze Your SAP systems On-premise ABAP · RISE · S/4HANA read over ADT via a BTP Destination (SAP Cloud Connector / Internet) Developers Eclipse plugin → send ABAP source (inline) ◀ findings back in Eclipse CI/CD pipeline REST API · rrk_ token → scan on every build / PR ◀ gate: ALLOWED / BLOCKED RUNS ON SAP BTP RedRays Scanner multitenant · your own key 85+ checks · multi-pass CVSS + exploitability fact-check per finding CRITICAL HIGH MEDIUM LOW Security dashboard in your browser severity · status · trends Security team analyze · triage · assign · report

RedRays runs on SAP BTP and scans your ABAP three ways in - from your SAP systems over a BTP destination, from developers' Eclipse plugin, and from CI/CD over a REST API. It then returns results to everyone who needs them: findings to the security team's dashboard, back to developers in Eclipse, and an ALLOWED / BLOCKED gate decision to CI/CD - all enriched with CVSS and an exploitability fact-check. Your source is never stored.

ABAP SAST · SAP BTP

Scan your custom ABAP for security vulnerabilities - as a service on SAP BTP

The RedRays ABAP Code Scanner runs natively on SAP Business Technology Platform. Point it at your SAP systems, and it statically analyses your custom ABAP for security vulnerabilities, code-quality issues and best-practice violations - then presents prioritised findings in a modern web dashboard. No appliance, no code leaves your control.

Runs on SAP BTP

A multitenant SaaS on Cloud Foundry - nothing to host, isolated per tenant.

Connects to your systems

Reads ABAP over a BTP destination: on-premise (Cloud Connector), RISE private edition or S/4HANA.

Your data stays yours

Source is scanned in-memory and discarded; only findings are kept, isolated to your tenant.

How it works

Register a destination to your SAP system once - RedRays reads ABAP through it over ADT, whether the system is on-premise (behind the SAP Cloud Connector), RISE private edition or S/4HANA. Self-signed lab systems are supported.

Bring your own key: each tenant registers its own Destination-service key, so RedRays reads only your subaccount's systems - full isolation, no shared access. Pick a scan profile, launch, and watch findings stream into the dashboard.

Three ways in: read from your SAP systems over a destination, let developers send ABAP source from the Eclipse plugin in the IDE, or call the REST API from your CI/CD pipeline to scan on every build and gate releases on findings. Same engine, same findings.

RedRays ABAP Code Scanner scan launch panel on SAP BTP: pick a destination and scan profile
Pick a system and launch a scan

What you get

85+ security checks

Injection, path traversal, hard-coded secrets, weak crypto, authorization gaps, backdoors and more.

CVSS + exploitability

Every finding carries a CVSS score and an automated exploitability fact-check to cut false positives.

Multi-pass by severity

The engine scans in passes by severity, so critical issues surface first.

Security dashboard

Severity and status breakdowns, top vulnerable objects and issue types, new-vs-resolved trend.

Triage in the browser

Assign, track status and re-scan; assignees are notified by email / alert.

PDF & Excel reports

Export findings for distribution and audit, plus a backlog trend over time.

Inside the console

Everything your team needs to run ABAP security as a program - not a one-off scan.

Dashboard

KPIs and trends: findings by severity & status, MTTR, top vulnerable objects, new-vs-resolved, and adoption by source (web / API / Eclipse / CI).

Scanner

Search objects by pattern, package or type; run a single scan or a mass scan of thousands - it keeps running even if you close the browser.

Vulnerabilities

Filter, bulk-triage and assign findings with a full status workflow (Open → Confirmed / False Positive / Resolved / Risk Accepted); export PDF / Excel / CSV.

Rule Catalog

Enable, disable or override any check per tenant, and build reusable scan profiles from the catalog.

Team

Invite users with roles (Viewer / Scanner / Triager / Admin), define custom roles, restrict which systems each user sees, and mint API tokens.

Audit Log

Every action - who did what, when, from which IP - filterable by actor, action, resource and severity, and exportable to CSV.

RedRays Team: members, custom roles and API tokens
Team - roles, custom roles & API tokens
RedRays Audit Log: filterable, exportable activity trail
Audit Log - who did what, when, from which IP
CI/CD

Gate your transports before release

Wire RedRays into your pipeline with an API token and block risky transports automatically.

The CTS Gate scans every object in a transport request and returns a binary ALLOWED / BLOCKED decision against a severity threshold you choose - use it as a pre-import gate so nothing critical ships. Findings land in the Vulnerabilities tab for triage.

  • POST /api/cts/check → HTTP 200 ALLOWED or 409 BLOCKED
  • Threshold: CRITICAL / HIGH / MEDIUM
  • Also: /api/scan-async and /api/findings for custom pipelines
curl --fail-with-body -X POST \
  https://<tenant>.cloud.abap-security.com/api/cts/check \
  -H "Authorization: Bearer rrk_..." \
  -d '{"destination":"DEV",
       "transport":"DEVK900123",
       "threshold":"HIGH"}' \
  && stms_import || abort

See your security posture at a glance

A live dashboard shows where the risk is; drill into any finding to see the affected object, the vulnerable line, CVSS, the exploitability verdict and remediation guidance.

RedRays security dashboard: severity and status charts, top objects and issue types
Security dashboard & analytics
RedRays vulnerabilities list: severity, CVSS, status and affected object
Browse & triage vulnerabilities
A single finding opened: description, CVSS vector, exploitability fact-check, code location and remediation
Finding detail - CVSS, exploitability fact-check & remediation

A rule catalog you control

85 built-in checks across four severity levels. Enable, disable or override any rule per project, so the policy fits your code base.

Critical · 6 High · 24 Medium · 43 Low · 12

Examples: Native SQL / ADBC injection, OS command execution (SXPG_*, CALL 'SYSTEM'), dynamic WHERE / ORDER BY, path traversal on OPEN DATASET, RFC trust abuse, missing AUTHORITY-CHECK, hard-coded passwords, weak crypto (MD5/SHA1), and more.

RedRays rule catalog: 85 ABAP security checks grouped by severity with enable and override toggles
Rule catalog - enable / disable / override per project

Ways to run it

Managed tenant

We host, you scan

Get a tenant on our SAP BTP deployment. Register your Destination-service key and start scanning - nothing to install.

Your BTP / private edition

Deploy in your own landscape

For data-residency needs, run the scanner inside your own SAP BTP. Same engine, same dashboard, fully in your tenant.

×Preview