RedRays runs on SAP BTP and scans your ABAP three ways in - from your SAP systems over a BTP destination, from developers' Eclipse plugin, and from CI/CD over a REST API. It then returns results to everyone who needs them: findings to the security team's dashboard, back to developers in Eclipse, and an ALLOWED / BLOCKED gate decision to CI/CD - all enriched with CVSS and an exploitability fact-check. Your source is never stored.
Scan your custom ABAP for security vulnerabilities - as a service on SAP BTP
The RedRays ABAP Code Scanner runs natively on SAP Business Technology Platform. Point it at your SAP systems, and it statically analyses your custom ABAP for security vulnerabilities, code-quality issues and best-practice violations - then presents prioritised findings in a modern web dashboard. No appliance, no code leaves your control.
Runs on SAP BTP
A multitenant SaaS on Cloud Foundry - nothing to host, isolated per tenant.
Connects to your systems
Reads ABAP over a BTP destination: on-premise (Cloud Connector), RISE private edition or S/4HANA.
Your data stays yours
Source is scanned in-memory and discarded; only findings are kept, isolated to your tenant.
How it works
Register a destination to your SAP system once - RedRays reads ABAP through it over ADT, whether the system is on-premise (behind the SAP Cloud Connector), RISE private edition or S/4HANA. Self-signed lab systems are supported.
Bring your own key: each tenant registers its own Destination-service key, so RedRays reads only your subaccount's systems - full isolation, no shared access. Pick a scan profile, launch, and watch findings stream into the dashboard.
Three ways in: read from your SAP systems over a destination, let developers send ABAP source from the Eclipse plugin in the IDE, or call the REST API from your CI/CD pipeline to scan on every build and gate releases on findings. Same engine, same findings.
What you get
85+ security checks
Injection, path traversal, hard-coded secrets, weak crypto, authorization gaps, backdoors and more.
CVSS + exploitability
Every finding carries a CVSS score and an automated exploitability fact-check to cut false positives.
Multi-pass by severity
The engine scans in passes by severity, so critical issues surface first.
Security dashboard
Severity and status breakdowns, top vulnerable objects and issue types, new-vs-resolved trend.
Triage in the browser
Assign, track status and re-scan; assignees are notified by email / alert.
PDF & Excel reports
Export findings for distribution and audit, plus a backlog trend over time.
Inside the console
Everything your team needs to run ABAP security as a program - not a one-off scan.
Dashboard
KPIs and trends: findings by severity & status, MTTR, top vulnerable objects, new-vs-resolved, and adoption by source (web / API / Eclipse / CI).
Scanner
Search objects by pattern, package or type; run a single scan or a mass scan of thousands - it keeps running even if you close the browser.
Vulnerabilities
Filter, bulk-triage and assign findings with a full status workflow (Open → Confirmed / False Positive / Resolved / Risk Accepted); export PDF / Excel / CSV.
Rule Catalog
Enable, disable or override any check per tenant, and build reusable scan profiles from the catalog.
Team
Invite users with roles (Viewer / Scanner / Triager / Admin), define custom roles, restrict which systems each user sees, and mint API tokens.
Audit Log
Every action - who did what, when, from which IP - filterable by actor, action, resource and severity, and exportable to CSV.
Gate your transports before release
Wire RedRays into your pipeline with an API token and block risky transports automatically.
The CTS Gate scans every object in a transport request and returns a binary ALLOWED / BLOCKED decision against a severity threshold you choose - use it as a pre-import gate so nothing critical ships. Findings land in the Vulnerabilities tab for triage.
POST /api/cts/check→ HTTP 200 ALLOWED or 409 BLOCKED- Threshold:
CRITICAL/HIGH/MEDIUM - Also:
/api/scan-asyncand/api/findingsfor custom pipelines
curl --fail-with-body -X POST \
https://<tenant>.cloud.abap-security.com/api/cts/check \
-H "Authorization: Bearer rrk_..." \
-d '{"destination":"DEV",
"transport":"DEVK900123",
"threshold":"HIGH"}' \
&& stms_import || abort
See your security posture at a glance
A live dashboard shows where the risk is; drill into any finding to see the affected object, the vulnerable line, CVSS, the exploitability verdict and remediation guidance.
A rule catalog you control
85 built-in checks across four severity levels. Enable, disable or override any rule per project, so the policy fits your code base.
Examples: Native SQL / ADBC injection, OS command execution
(SXPG_*, CALL 'SYSTEM'), dynamic WHERE / ORDER BY,
path traversal on OPEN DATASET, RFC trust abuse, missing AUTHORITY-CHECK,
hard-coded passwords, weak crypto (MD5/SHA1), and more.
Ways to run it
We host, you scan
Get a tenant on our SAP BTP deployment. Register your Destination-service key and start scanning - nothing to install.
Deploy in your own landscape
For data-residency needs, run the scanner inside your own SAP BTP. Same engine, same dashboard, fully in your tenant.
