Solution Briefs

SAP Custom Code Analysis


Find Quality, Security and Compliance Issues ABAP, SAPUI5 (FIORI), XSJS and SQLSCRIPT

How Onapsis Code Analysis Works 

Onapsis code analysis is based on extensive test cases that Onapsis has developed over its many years of experience with customer projects, with a database containing patterns of the relevant practices for insecure coding, bad quality or slow code. Test cases fall into six domains, addressing code issues from all angles to ensure your applications remain secure, compliant and available. Below are some examples of common vulnerabilities by domain: 


  • Cross-site scripting, SQL injections, missing authority checks, insecure communication Compliance 
  • Hard-coded usernames, cross-client access to business data, direct database 


  • Usage of WAIT command, COMMIT work statement in a loop, incomplete index in WHERE condition 


  • Hard-coded text in WRITE or MESSAGE, hard-coded domain, programs or methods with insufficient comment/code ratio


  • Unsorted SELECT on pooled or cluster tables, hard-coded RFC destinations, missing sy-subrc checks

Data Loss Prevention

  • Disclosure of critical DB content, disclosure of source code, disclosure of critical variable content 

All discovered issues include criticality, an explanation of the vulnerability, business impact and remediation guidance. This gives you essential context to understand if you want to accept the risk and how to prioritize remediation for those findings you elect to fix.

Manual code reviews are labor-intensive, error-prone and often fail to find all critical issues. Onapsis solves this problem by providing automatic analysis for SAP custom code, allowing you to find security, compliance and quality issues in the shortest possible time.

  • Reduce reliance on manual peer reviews, saving time and manpower
  • Find issues earlier when they are easier and less expensive to fix
  • Prevent critical issues from hitting production (and having exponentially worse consequences)
  • Receive actionable remediation guidance for each issue Validate third-party created code (e.g., contract work)

Building Onapsis Code Analysis Into Your Processes

There are multiple options for implementing Onapsis code analysis into your application development and change management processes. Many customers use a combination of approaches.

“Real-time” Scanning: Find and Fix Vulnerabilities while Coding

  • Receive live findings right in the development environment while you are coding
  • Onapsis integrates with SAP HANA Studio, Eclipse, SAP Web IDE, SAP ABAP development workbench
  • Developers receive an explanation of the finding, the business risk, and actionable solution, so they can remediate on the spot

Example “real-time” scan results in Eclipse development environment.

Before Release & Export: Prevent Issues from Moving to the Next System

  • Automatically scan before code is released to the next system
  • Allows you to accept risks or fix issues before deploying to the next system

Scan results are shown here.

Continuous Monitoring of Deployed Code: Protect Code in Production

  • Run regular scans of code that has already been deployed to production
  • Ensure new vulnerabilities cannot be introduced to your production environment
  • Check legacy code against the latest test cases, vulnerabilities and best practices

Results are shown in The Onapsis Platform

Or in the CodeProfiler Finding Manager

Back to Solution Briefs