Run ATC checks with any check variant to validate ABAP code quality and generate assessment reports.
# Check with system default variant
node --import tsx run-atc-check.ts ZCL_MY_CLASS
# Check with specific variant
node --import tsx run-atc-check.ts ZCL_MY_CLASS --variant S4HANA_READINESS
# List available check variants
node --import tsx list-check-variants.ts
# Custom output path
node --import tsx run-atc-check.ts ZCL_MY_CLASS --output ./my-report.md
# Display only (no save)
node --import tsx run-atc-check.ts ZCL_MY_CLASS --no-saveCopy .env.example to .env and fill in your values:
cp .env.example .env
# Then edit .env with your SAP connection detailsSee .env.example for all available configuration options including TLS settings and logging.
- Any check variant -- DEFAULT, CLEAN_CORE ("Usage of APIs"), ABAP_CLOUD_DEVELOPMENT_DEFAULT ("Usage of Released APIs"), S4HANA_READINESS, custom, etc.
- Variant discovery -- queries SAP system for available variants
- Auto-saves reports by default to
reports/atc/directory - Auto-detects object types
- Shows detailed findings with line numbers
- Shows quickfix availability
- Exit code 1 if errors found
Run ATC checks during development. Findings at priority 1-2 block transport in most SAP configurations -- catching them early saves a round trip.
# After writing or modifying ABAP code:
node --import tsx run-atc-check.ts ZCL_MY_CLASS
# Fix the reported findings, then verify:
node --import tsx run-atc-check.ts ZCL_MY_CLASSAssess custom code against SAP Clean Core guidelines. The CLEAN_CORE variant flags usage of non-released APIs that need replacement or wrapping.
# Single object
node --import tsx run-atc-check.ts ZCL_MY_CLASS --variant CLEAN_CORE
# Entire package -- generates a prioritized summary
node --import tsx batch-atc-parallel.ts ZPACKAGE --variant CLEAN_CORE
# Then review: reports/atc/atc_summary.mdScan custom code for S/4HANA compatibility issues before migration. Batch mode gives a full picture across a package.
node --import tsx batch-atc-parallel.ts ZPACKAGE --variant S4HANA_READINESS
# Then review: reports/atc/atc_summary.mdVerify that custom code uses only released APIs -- required for ABAP Cloud (public cloud, BTP ABAP Environment).
node --import tsx run-atc-check.ts ZCL_MY_CLASS --variant ABAP_CLOUD_DEVELOPMENT_DEFAULTThe checker exits with code 1 when errors are found. Use this in scripts or CI pipelines to block transport of non-compliant code.
node --import tsx run-atc-check.ts ZCL_MY_CLASS --variant CLEAN_CORE \
|| echo "Blocked: ATC errors must be resolved before transport"For a full Clean Core evaluation of an existing codebase:
- Discover -- identify custom objects in the target package
- Scan -- batch check with
CLEAN_COREvariant - Triage -- review
atc_summary.md, sort by priority - Fix -- address priority 1 (blocker) and 2 (error) findings first
- Verify -- re-run checks on fixed objects to confirm resolution
- Repeat -- work through priority 3 (warning) findings
The same sequence applies to S4HANA_READINESS and ABAP_CLOUD_DEVELOPMENT_DEFAULT assessments.
This skill is designed to work with Claude Code. Rather than running scripts manually, you describe what you need and Claude Code handles the rest -- running checks, reading reports, interpreting findings, and suggesting fixes.
Run a check:
Run a Clean Core check on ZCL_MY_CLASS
Assess a package:
Check all objects in package ZTEST for S/4HANA readiness and summarize the findings
Check and fix (the full loop):
Run ATC check on ZCL_MY_CLASS with CLEAN_CORE variant, read the source code,
and suggest fixes for any findings
Discover what's available:
What ATC check variants are available on our SAP system?
Triage an existing report:
Read reports/atc/atc_summary.md and tell me which objects need attention first
The scripts in this skill run checks and produce reports. Claude Code closes the loop:
- Runs the check -- picks the right script, variant, and options
- Interprets findings -- explains what each finding means in context, not just the message text
- Reads ABAP source -- pulls the relevant code from SAP to understand the root cause
- Suggests fixes -- proposes concrete ABAP code changes based on the findings and source
- Verifies -- re-runs the check after changes to confirm findings are resolved
This turns a multi-step manual process into a single conversation.
-
Install Claude Code (if not already installed):
npm install -g @anthropic-ai/claude-code
-
Clone and configure:
git clone https://github.com/openkash/sap-atc-checker.git cd sap-atc-checker cp .env.example .env # Edit .env with your SAP connection details npm install
-
Launch Claude Code:
claude
Claude Code reads CLAUDE.md at the project root and skill.md in the skill directory automatically -- no additional configuration needed.
| Priority | SAP Severity | Description |
|---|---|---|
| 1 | Very High (Blocker) | Must fix, blocks transport |
| 2 | High (Error) | Fix before transport |
| 3 | Medium (Warning) | Review and plan remediation |
| 4 | Low (Information) | Optional improvement |
| Script | Purpose |
|---|---|
run-atc-check.ts |
Single object ATC check |
list-check-variants.ts |
List available check variants |
batch-atc-parallel.ts |
Parallel batch check for packages |
CLAS, INTF, PROG, FUGR, FUNC, DDLS, BDEF, SRVD, SRVB, TABL, STRU, DTEL, and more.
sap-atc-checker/
├── .env.example # SAP connection template (copy to .env)
├── .github/workflows/ci.yml # GitHub Actions CI pipeline
├── .gitignore # Excludes .env, logs, node_modules
├── .eslintrc.json # Linting rules
├── .prettierrc # Code formatting rules
├── package.json # Dependencies and npm scripts
├── package-lock.json # Locked dependency versions
├── tsconfig.json # TypeScript configuration
├── LICENSE # Apache-2.0
├── README.md # This file
├── CLAUDE.md # Claude Code project instructions
├── SECURITY.md # Vulnerability reporting policy
├── CONTRIBUTING.md # Contribution guidelines
├── skill.md # Claude Code skill definition
├── run-atc-check.ts # CLI: single object ATC check
├── batch-atc-parallel.ts # CLI: parallel batch check for packages
├── list-check-variants.ts # CLI: list available check variants
├── sap-atc-client.ts # ATC client (worklist, run, findings)
├── sap-adt-client.ts # ADT client (connection, object discovery)
├── shared-utils.ts # Env loading, report saving, summary
├── secure-logger.ts # Logging with sensitive data masking
├── sap-atc-client.test.ts # ATC client unit tests
├── secure-logger.test.ts # SecureLogger masking tests
└── reports/atc/ # Generated reports (git-ignored)
├── <OBJECT>_atc.md # Individual check reports
└── atc_summary.md # Aggregated summary
Reports are saved to reports/atc/:
<OBJECT_NAME>_atc.md-- ATC check results with findingsatc_summary.md-- Summary of all checked objects
Override: Use --output FILE for custom path or --no-save for display only.
# Check entire package
node --import tsx batch-atc-parallel.ts ZPACKAGE --variant ABAP_CLOUD_DEVELOPMENT
# With concurrency control
node --import tsx batch-atc-parallel.ts ZPACKAGE --variant S4HANA_READINESS --concurrency 50- Success (no errors)1- Errors found or execution failure
Connection Failed: Check .env configuration and SAP user authorization (S_RFC, S_DEVELOP activities 03/16)
Object Not Found: Verify object name and client
Variant Not Found: Run list-check-variants.ts to see available variants
Timeout: Check SAP system performance
- All SAP credentials loaded from
.envfile -- never hardcoded in source .gitignoreexcludes.env,.env.*, and all log files from version control.env.exampleprovided with placeholder values for safe reference- Required environment variables validated before any SAP connection attempt
- Connection objects passed in-memory only; credentials never written to disk
The SecureLogger module automatically redacts sensitive data in all console and file output:
- Password masking -- fields containing
password,passwd,pwdreplaced with***REDACTED*** - Auth header masking --
authorization,auth,tokenfields fully redacted - Username partial masking -- only first 2 characters shown (e.g.,
AD***) - File path sanitization -- home directory paths (
/home/user,C:\Users\user) masked - Error message sanitization -- credential patterns (
password=,token=,authorization=) stripped from exception messages and stack traces - Recursive masking -- nested objects and arrays processed at all depths
- Test coverage -- unit tests verify masking behavior (
secure-logger.test.ts)
- Object name validation -- strict allowlist pattern (alphanumeric, underscores, slashes, max 40 characters) via
validateObjectName()prevents command/path injection - XML escaping --
escapeXml()encodes&,<,>,",'in all user-supplied values before XML payload construction, preventing XML injection - URL encoding -- variant names, worklist IDs, run IDs, and search queries passed through
encodeURIComponentbefore inclusion in URLs - Path traversal prevention -- output file paths validated to stay within the project directory
- SAP SID format validation -- 3 alphanumeric characters
- CSRF tokens fetched on initial SAP connection (
x-csrf-token: fetch) and included in all state-changing POST requests - Cookie-based session management with proper
set-cookieparsing - Stateful ADT sessions (
x-sap-adt-sessiontype: stateful)
- TLS certificate validation enabled by default (
rejectUnauthorized: true) -- can be disabled for development systems with self-signed certificates viaSAP_REJECT_UNAUTHORIZED=false - Configurable HTTP/HTTPS via
SAP_SECUREenvironment variable - 60-second request timeout on all HTTP calls
- Authentication failure (401) reported immediately without retry to prevent credential lockout
- All reports stored locally only -- no external transmission
- Reports written to configurable
REPORTS_DIRdirectory - Log files written to configurable
LOGS_DIRdirectory - Both
logs/andreports/are git-ignored by default
package-lock.jsoncommitted for reproducible builds and supply chain integrity- Run
npm auditregularly to check for known vulnerabilities
See SECURITY.md for the vulnerability reporting policy.
Apache-2.0. See LICENSE for the full text.
See CONTRIBUTING.md for contribution guidelines.