We shipped a native ABAP code security scanner that runs on SAP Business Technology Platform (BTP). Point it at your SAP systems and it statically analyzes your custom ABAP for security vulnerabilities, then presents prioritized, CVSS-scored findings in a web dashboard - with nothing to host.
Most ABAP security tooling asks you to install something, run it inside the SAP system, or babysit a server. This is the opposite: a multitenant SaaS on Cloud Foundry that connects to your systems over a BTP destination, reads ABAP through ADT, and keeps every tenant fully isolated. Same engine you can run from the dashboard, from the IDE, or from your CI/CD pipeline.
What is it
The RedRays ABAP Code Scanner now runs natively on SAP BTP as a multitenant SaaS on Cloud Foundry - isolated per tenant, nothing for you to install or operate. It connects to your SAP systems over a BTP destination and reads ABAP through ADT, whether the system is on-premise (behind the SAP Cloud Connector), RISE private edition, or S/4HANA. Self-signed lab systems are supported too.
Three ways to run it
Same engine, same findings - wherever it fits your workflow:
From your SAP
Register a destination and scan on-premise, RISE or S/4HANA systems over ADT.
From Eclipse
Developers send ABAP source from the Eclipse plugin and get findings back in the IDE.
From CI/CD
Call the REST API to scan on every build and gate releases on findings.
What you get
85+ security checks
Injection, path traversal, hard-coded secrets, weak crypto, missing AUTHORITY-CHECK, RFC trust abuse, backdoors and more.
CVSS + exploitability
Every finding carries a CVSS score and an automated exploitability fact-check to cut false positives.
Multi-pass by severity
The engine scans in passes by severity, so critical issues surface first.
Security dashboard
Severity and status breakdowns, top vulnerable objects, MTTR and new-vs-resolved trend.
Triage in the browser
Assign, track status (Open → Confirmed / False Positive / Resolved) and re-scan.
Your rule catalog
Enable, disable or override any of the 85+ checks per tenant, and build reusable scan profiles.
Gate risky transports in CI/CD
Wire the scanner into your pipeline with an API token. The CTS Gate scans every object in a transport request and returns a binary decision against a severity threshold you choose - use it as a pre-import gate so nothing critical ships.
POST https://<tenant>.cloud.abap-security.com/api/cts/check Authorization: Bearer rrk_... { "destination":"DEV", "transport":"DEVK900123", "threshold":"HIGH" } → 200 ALLOWED | 409 BLOCKED
Blocked findings land in the Vulnerabilities tab for triage. There are also /api/scan-async and
/api/findings endpoints for custom pipelines.
How to get it
Two ways to run it, depending on your data-residency needs:
We host, you scan
Get a tenant on our SAP BTP deployment, register your Destination-service key and start scanning - nothing to install.
Deploy in your own BTP
Run the scanner inside your own SAP BTP for data residency - same engine, same dashboard, fully in your tenant.
See the ABAP Code Scanner for SAP BTP
Full feature breakdown, screenshots and how to get started.
Explore the scanner →Questions, or already doing ABAP security in a pipeline? I'd like your feedback - reach out via contact.




