Skip links
scan findings Your SAP systems On-premise ABAP · S/4HANA connect over SOAP / RFC register & monitor each system Developers Eclipse plugin → scan from the IDE (API key) ◀ findings back in Eclipse Transport requests scan before release check only what is about to move catch issues while still in transport MANAGEMENT CONSOLE RedRays engine OWASP Top 10 · all severities scan · schedule · retest Security score + CVSS graded per finding CRITICAL HIGH MEDIUM LOW Dashboard & reports in your browser triage · retest · export SARIF
SAP ABAP · SAST

RedRays ABAP Code Scanner

End-to-end security for your critical SAP code. Advanced static analysis that finds - and helps you fix - security vulnerabilities in your custom ABAP across programs, function modules and class pools, before they reach production.

Request a demo Watch the demo
RedRays ABAP Code Scanner dashboard - security posture at a glance
NEW · Checkmarx One

Now integrated with Checkmarx One - find and fix vulnerabilities in your custom ABAP right alongside the rest of your applications, with no separate system to run. SAP security made faster, easier and truly comprehensive.

Inside the Management Console

From a single web console you connect SAP systems, run and schedule scans, tune the checks, and triage every finding down to the vulnerable line of ABAP - with the same engine available to developers in the IDE.

1

Security posture at a glance

A real-time overview of your SAP code security: an overall letter-grade security score, the severity breakdown across Critical, High, Medium and Low, and live scan status. Operational metrics and vulnerability trends let you judge risk and progress without opening a single report.

Security posture dashboard with letter-grade score and severity breakdown
2

Manage your SAP connections

Register and monitor every SAP system you scan - host, SID, instance, client, live connection status and last-check time. Test, edit, enable or disable a connection, or add a new system over SOAP/RFC, all from one screen.

SAP systems connections list with status and last-check time
3

Organize work into projects

Group scanning into projects that map to your teams, systems or release trains. Each project shows program and scan counts, total and unique vulnerabilities by severity, and creation and last-scan dates. Start a scan or open results in a single click.

Projects overview with vulnerability counts by severity
4

Scan transport requests before release

Shift security left to the change itself: browse transport requests, drill into the exact objects they carry, and scan only what is about to move. Catch insecure ABAP while it is still in a transport, long before it reaches production.

Transport requests with their objects, ready to scan before release
5

Control exactly what gets checked

Pick from ready-made profiles - Full Security Scan (OWASP Top 10 and all severities), Critical + High, single-severity profiles, or a fast Quick scan - and toggle individual checks on or off per profile. Align scanning depth with your compliance needs, security policy and performance budget.

Scanning profiles with individual checks toggled on or off
6

Shift left with the Eclipse plugin

Let developers scan ABAP straight from their IDE. Issue a per-developer API key, plug it into the RedRays Eclipse plugin, and their scans land automatically under the "Developer Scans" project. Track each developer's scans and findings, and regenerate or revoke keys at any time.

Developer scans and per-developer API keys
7

Track every scan run

Review the complete scan history of a project - scan type, profile used, target system, scanned-object counts, vulnerabilities found, schedule and status. Re-scan unchanged code (reusing prior results), open a run's findings, delete old runs, or upload a ZIP for offline analysis.

Project scan history with profile, system and status
8

Browse and triage vulnerabilities

Work through a filterable list of every finding - vulnerability name, affected program or function, object type, severity, status and category. Search, sort and filter to focus on what matters, then retest or open any issue directly from the list.

Filterable vulnerabilities list with severity and status
9

Pinpoint and remediate

Open a finding to see the exact vulnerable source line highlighted in context, a plain-language description of the risk, and concrete remediation guidance. Technical metadata and inline controls let you set severity and status, retest the issue, and review its retest history.

Finding detail with highlighted vulnerable source line and remediation
10

Per-program scan reports

Get a per-program breakdown of any scan: scanned objects, vulnerable objects and findings by severity for each report or program. Prioritize the riskiest objects, share results with stakeholders, and export findings (including SARIF) into your existing workflows.

Per-program scan report with findings by severity and SARIF export

Problems we solve

Security code issues

RedRays flags exploitable vulnerabilities in your custom ABAP - injection, missing authority checks, insecure RFC calls and more - the exact flaws attackers use to reach SAP data and business processes.

Vulnerable system components

We scan every custom object across your landscape - Reports, Function Modules, Class Pools and Module Pools - to find the weak points attackers target, before they ever reach production.

Hidden code threats

We catch the subtle, hard-to-spot flaws - dynamic code execution, directory traversal, hardcoded credentials and backdoors - that hide in large ABAP code bases and slip past manual review.

Injection attack risks

We detect SQL, OS command and ABAP code injection, where unvalidated input flows into a database query, the operating system or generated code - the classic path to data theft and full compromise.

Code quality problems

We surface risky coding patterns and maintainability issues that make custom ABAP slow, fragile and costly to support - so your team fixes root causes, not just symptoms.

Compliance security gaps

We map findings to recognized standards such as OWASP and SAP security baselines and produce audit-ready evidence, so insecure code doesn't cause your company to fail its next compliance review.

See it in action

A short walkthrough of the RedRays ABAP Code Scanner Management Console.

Secure your custom ABAP

Scan your first SAP system in minutes and see where your risk really is.

Request a demo Explore RedRays

Request a demo

Tell us about your SAP landscape and we'll set you up with a scan.

×Preview