Description
SAP DevSec Scanner automatically analyzes SAP BTP projects to identify common security vulnerabilities. It supports SAPUI5/Fiori and CAP (Cloud Application Programming) projects.
The scanner accepts:
– a project ZIP archive uploaded through the web interface;
– a server-side directory path for direct filesystem analysis.
Fonctionnalités
| Feature | Description |
|---|---|
| UI5 Version Scanner | Detects obsolete or EOL (End of Life) SAPUI5 versions |
| UI5 Code Scanner | XSS detection, eval(), innerHTML, open redirect, OWASP Top 10 |
| NPM Security Scanner | Audits npm dependencies, detects known CVEs, best practices |
| CAP Security Scanner | CDS access control, SQL injection, service and handler security |
| Secrets Scanner | Plaintext credentials, JWT tokens, API keys, secrets in CI/CD |
| BTP Destinations Scanner | Analysis of XSUAA configurations, BTP destinations, and mta.yaml |
| AppRouter Security Scanner | xs-app.json, HTTP headers, CSRF, scopes, @sap/approuter version |
| Risk Score | 0–100 score weighted by severity (CRITICAL / HIGH / MEDIUM / LOW) |
| Scan History | Session reports stored in memory |
