Skip links
Picture of Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

ABAP code scanner for SAP BTP

We shipped a native ABAP code security scanner that runs on SAP Business Technology Platform (BTP). Point it at your SAP systems and it statically analyzes your custom ABAP for security vulnerabilities, then presents prioritized, CVSS-scored findings in a web dashboard - with nothing to host.

Most ABAP security tooling asks you to install something, run it inside the SAP system, or babysit a server. This is the opposite: a multitenant SaaS on Cloud Foundry that connects to your systems over a BTP destination, reads ABAP through ADT, and keeps every tenant fully isolated. Same engine you can run from the dashboard, from the IDE, or from your CI/CD pipeline.

Your SAP systems on-premise · RISE · S/4HANA (over ADT) Developers Eclipse plugin - send ABAP inline CI/CD pipeline REST API - scan on every build RedRays ABAP Scanner on SAP BTP 85+ checks · CVSS · multi-pass Findings dashboard triage · report · gate
One engine, three ways in - and every finding lands in the same dashboard.

What is it

The RedRays ABAP Code Scanner now runs natively on SAP BTP as a multitenant SaaS on Cloud Foundry - isolated per tenant, nothing for you to install or operate. It connects to your SAP systems over a BTP destination and reads ABAP through ADT, whether the system is on-premise (behind the SAP Cloud Connector), RISE private edition, or S/4HANA. Self-signed lab systems are supported too.

Your data stays yours. Each tenant registers its own Destination-service key (bring your own key), so RedRays reads only your subaccount's systems. Source is scanned in memory and discarded - only the findings are stored, isolated to your tenant.

Three ways to run it

Same engine, same findings - wherever it fits your workflow:

Destination

From your SAP

Register a destination and scan on-premise, RISE or S/4HANA systems over ADT.

IDE

From Eclipse

Developers send ABAP source from the Eclipse plugin and get findings back in the IDE.

Pipeline

From CI/CD

Call the REST API to scan on every build and gate releases on findings.

What you get

Coverage

85+ security checks

Injection, path traversal, hard-coded secrets, weak crypto, missing AUTHORITY-CHECK, RFC trust abuse, backdoors and more.

Signal

CVSS + exploitability

Every finding carries a CVSS score and an automated exploitability fact-check to cut false positives.

Order

Multi-pass by severity

The engine scans in passes by severity, so critical issues surface first.

Visibility

Security dashboard

Severity and status breakdowns, top vulnerable objects, MTTR and new-vs-resolved trend.

Workflow

Triage in the browser

Assign, track status (Open → Confirmed / False Positive / Resolved) and re-scan.

Control

Your rule catalog

Enable, disable or override any of the 85+ checks per tenant, and build reusable scan profiles.

Gate risky transports in CI/CD

Wire the scanner into your pipeline with an API token. The CTS Gate scans every object in a transport request and returns a binary decision against a severity threshold you choose - use it as a pre-import gate so nothing critical ships.

POST https://<tenant>.cloud.abap-security.com/api/cts/check
Authorization: Bearer rrk_...
{ "destination":"DEV", "transport":"DEVK900123", "threshold":"HIGH" }

→ 200 ALLOWED   |   409 BLOCKED

Blocked findings land in the Vulnerabilities tab for triage. There are also /api/scan-async and /api/findings endpoints for custom pipelines.

How to get it

Two ways to run it, depending on your data-residency needs:

Fastest

We host, you scan

Get a tenant on our SAP BTP deployment, register your Destination-service key and start scanning - nothing to install.

Your landscape

Deploy in your own BTP

Run the scanner inside your own SAP BTP for data residency - same engine, same dashboard, fully in your tenant.

See the ABAP Code Scanner for SAP BTP

Full feature breakdown, screenshots and how to get started.

Explore the scanner →

Questions, or already doing ABAP security in a pipeline? I'd like your feedback - reach out via contact.

Explore More

SAP Security Patch Day June 2026

SAP has released its June 2026 security patch package containing 15 security notes addressing vulnerabilities across enterprise SAP environments. This release is

RedRays ABAP Security Challenge 2026

WORLD’S FIRST · MAY 30 – 31, 2026 RedRays ABAP Security Challenge 2026 The world’s first security competition for ABAP developers. Write

SAP Security Patch Day – May 2026

SAP has released its May 2026 security patch package containing 15 security notes addressing vulnerabilities across enterprise SAP environments. This release includes