RedRays ABAP Code Scanner
End-to-end security for your critical SAP code. Advanced static analysis that finds - and helps you fix - security vulnerabilities in your custom ABAP across programs, function modules and class pools, before they reach production.
Request a demo Watch the demo
Now integrated with Checkmarx One - find and fix vulnerabilities in your custom ABAP right alongside the rest of your applications, with no separate system to run. SAP security made faster, easier and truly comprehensive.
Inside the Management Console
From a single web console you connect SAP systems, run and schedule scans, tune the checks, and triage every finding down to the vulnerable line of ABAP - with the same engine available to developers in the IDE.
Security posture at a glance
A real-time overview of your SAP code security: an overall letter-grade security score, the severity breakdown across Critical, High, Medium and Low, and live scan status. Operational metrics and vulnerability trends let you judge risk and progress without opening a single report.

Manage your SAP connections
Register and monitor every SAP system you scan - host, SID, instance, client, live connection status and last-check time. Test, edit, enable or disable a connection, or add a new system over SOAP/RFC, all from one screen.

Organize work into projects
Group scanning into projects that map to your teams, systems or release trains. Each project shows program and scan counts, total and unique vulnerabilities by severity, and creation and last-scan dates. Start a scan or open results in a single click.

Scan transport requests before release
Shift security left to the change itself: browse transport requests, drill into the exact objects they carry, and scan only what is about to move. Catch insecure ABAP while it is still in a transport, long before it reaches production.

Control exactly what gets checked
Pick from ready-made profiles - Full Security Scan (OWASP Top 10 and all severities), Critical + High, single-severity profiles, or a fast Quick scan - and toggle individual checks on or off per profile. Align scanning depth with your compliance needs, security policy and performance budget.

Shift left with the Eclipse plugin
Let developers scan ABAP straight from their IDE. Issue a per-developer API key, plug it into the RedRays Eclipse plugin, and their scans land automatically under the "Developer Scans" project. Track each developer's scans and findings, and regenerate or revoke keys at any time.

Track every scan run
Review the complete scan history of a project - scan type, profile used, target system, scanned-object counts, vulnerabilities found, schedule and status. Re-scan unchanged code (reusing prior results), open a run's findings, delete old runs, or upload a ZIP for offline analysis.

Browse and triage vulnerabilities
Work through a filterable list of every finding - vulnerability name, affected program or function, object type, severity, status and category. Search, sort and filter to focus on what matters, then retest or open any issue directly from the list.

Pinpoint and remediate
Open a finding to see the exact vulnerable source line highlighted in context, a plain-language description of the risk, and concrete remediation guidance. Technical metadata and inline controls let you set severity and status, retest the issue, and review its retest history.

Per-program scan reports
Get a per-program breakdown of any scan: scanned objects, vulnerable objects and findings by severity for each report or program. Prioritize the riskiest objects, share results with stakeholders, and export findings (including SARIF) into your existing workflows.

Problems we solve
Security code issues
RedRays flags exploitable vulnerabilities in your custom ABAP - injection, missing authority checks, insecure RFC calls and more - the exact flaws attackers use to reach SAP data and business processes.
Vulnerable system components
We scan every custom object across your landscape - Reports, Function Modules, Class Pools and Module Pools - to find the weak points attackers target, before they ever reach production.
Hidden code threats
We catch the subtle, hard-to-spot flaws - dynamic code execution, directory traversal, hardcoded credentials and backdoors - that hide in large ABAP code bases and slip past manual review.
Injection attack risks
We detect SQL, OS command and ABAP code injection, where unvalidated input flows into a database query, the operating system or generated code - the classic path to data theft and full compromise.
Code quality problems
We surface risky coding patterns and maintainability issues that make custom ABAP slow, fragile and costly to support - so your team fixes root causes, not just symptoms.
Compliance security gaps
We map findings to recognized standards such as OWASP and SAP security baselines and produce audit-ready evidence, so insecure code doesn't cause your company to fail its next compliance review.
See it in action
A short walkthrough of the RedRays ABAP Code Scanner Management Console.
Secure your custom ABAP
Scan your first SAP system in minutes and see where your risk really is.
Request a demo Explore RedRaysRequest a demo
Tell us about your SAP landscape and we'll set you up with a scan.
