Static Application Security Testing (SAST) for SAP ABAP. A free, open-source CLI for finding security vulnerabilities in custom ABAP code - offline and in CI.
| Edition | What it is | Where |
|---|---|---|
| Open-source CLI (free, MIT) | Scan exported ABAP source locally or in CI | This repo (below) |
| Cloud (SAP BTP) | Commercial SaaS that reads ABAP over BTP destinations | Cloud / BTP edition |
| Web (Management Console) | Commercial web SAST that connects to SAP via JCo / RFC | Web edition |
The commercial editions are by RedRays; this OWASP project (the open-source CLI) is free and open source.
SAP runs on custom ABAP code - often millions of lines, written over decades, powering payroll, finance and logistics. That code is rarely security-reviewed and is a frequent source of injection, path-traversal and hard-coded-secret bugs, while standard SAP tooling is heavy and system-bound.
This CLI statically analyses exported ABAP source offline - no SAP connection, no agent, no telemetry - and writes an XLSX report you can act on. Drop it into CI to gate pull requests.
Requires Python 3.9+ and
pip.
git clone https://github.com/OWASP/abap-code-scanner.git
cd abap-code-scanner
pip install -r requirements.txt
python main.py path/to/abap/sourceWhen the scan finishes you will find abap_security_scan_report.xlsx in the project folder:
| Option | Description | Default |
|---|---|---|
path |
Directory of ABAP source to scan | (required) |
-c, --config |
Path to the YAML config file | config.yml |
The scanner reads a YAML file (default config.yml, override with -c). Pick the checks to run, the file extensions to include, and patterns to exclude:
checks:
- CheckCrossSiteScripting
- CheckSQLInjection
- CheckDirectoryTraversal
file_extensions:
- .abap
- .txt
exclude_patterns:
- "**/test/**"- Create a new Python file in the
checks/directory. - Define a class that inherits from the base check class.
- Implement the required methods, including the main
runmethod. - Add the class name to the
checks:list in your config file.
# Unix-like
./run_tests.sh
# Windows
run_tests.bat- Data-flow / taint analysis (sources to sinks) to cut false positives
- SARIF output for GitHub code scanning
- JSON output
- More checks mapped to the OWASP Top 10 and SAP secure-coding guidance
Pull requests are welcome - new checks, test cases, bug fixes and docs all help. See CONTRIBUTING.md and please follow the OWASP Code of Conduct.
Found a vulnerability in the scanner itself? Please follow the responsible-disclosure process in SECURITY.md - do not open a public issue for security reports.
MIT. Originally contributed and maintained by RedRays. The Cloud (SAP BTP) and Web (Management Console) editions are commercial products; this OWASP project (the open-source CLI) is free and open source.
