OWASP ABAP Code Scanner
SAST for SAP ABAP
SAP systems run on enormous amounts of custom ABAP (Advanced Business Application Programming) code that drives payroll, finance, logistics and other business-critical processes. That custom code is rarely security-reviewed and is a common source of injection, path-traversal and hard-coded-secret vulnerabilities.
The OWASP ABAP Code Scanner is a Static Application Security Testing (SAST) tool for ABAP. The open-source command-line scanner is the heart of this OWASP project: it statically analyses exported ABAP source offline, needs no connection to your SAP system, and drops straight into a CI/CD pipeline.
Editions
| Edition | What it is | Where |
|---|---|---|
| Open-source CLI (free, MIT) | Scan exported ABAP source locally or in CI | This page (below) |
| Cloud Edition (SAP BTP) | Commercial SaaS that reads ABAP over BTP destinations | Cloud / BTP edition » |
| Web (Management Console) | Commercial web SAST that connects to SAP via SAP JCo / RFC | Web edition » |
All three share the same scanning heritage. The commercial editions are by RedRays; the OWASP project itself is, and remains, free and open source.
Why use the open-source CLI
- Offline and agentless - scan exported ABAP source on any machine; nothing is sent anywhere.
- CI/CD ready - a simple CLI you can gate your pipeline on.
- Extensible - add your own checks in a few lines of Python.
- Actionable reports - findings exported to XLSX for triage.
- Free and open - MIT-licensed and community-driven.
Security checks
The scanner ships with checks for common ABAP security issues, including:
| Category | Examples |
|---|---|
| Injection | Cross-Site Scripting (XSS), SQL injection, directory traversal |
| Secrets | Hard-coded credentials and keys |
| Cryptography | Weak or outdated cryptographic algorithms |
| Best practices | Insecure dynamic statements, and more |
Checks are selected per run from a YAML config file, so you can tune the rule set to your code base.
Quick start
# 1. Get the tool (Python 3.9+)
git clone https://github.com/OWASP/abap-code-scanner.git
cd abap-code-scanner
pip install -r requirements.txt
# 2. Scan a folder of ABAP source
python main.py path/to/abap/source
The scan writes abap_security_scan_report.xlsx to the project folder:

Full configuration, writing custom checks and running the tests are documented in the README.
Roadmap
- Data-flow (taint) analysis - track tainted inputs from sources to sensitive sinks to reduce false positives and catch context-dependent vulnerabilities that simple pattern matching misses.
- SARIF output so findings show up natively in GitHub code scanning.
- More checks mapped to the OWASP Top 10 and SAP secure-coding guidance.
Contributions to any of these are very welcome.
Getting involved
You do not need to be a security expert to help:
- Star and share the project.
- Open an issue for a bug, a false positive, or a new check idea.
- Send a pull request - new checks, test cases and docs are all valuable.
- Say hello on the OWASP Slack.
See CONTRIBUTING.md to get started.
Licensing
The OWASP ABAP Code Scanner is free to use and is released under the MIT License.
The project was originally contributed and is maintained by RedRays. Commercial Cloud (SAP BTP) and Web (Management Console) editions are available separately; the OWASP project is, and remains, free and open source.