Had SAP supported XLSX natively, you wouldn't need an external package 🙂

Anyway, what are you worried about? There is only one OPEN DATASET statement and it is used to read an external XLSX file which is then handled with official SAP classes to unpack and process the XML nodes within.

There are no calls to "business" transactions nor application table accesses, the thing works on the MiniSAP demos which DO NOT have them.

It's a good question because Open Source doesn't mean secured. It just means that anybody can check the content of the source code. There is no certification by a certification authority. The ABAP community being quite passive in participating to the code, if I didn't know abap2xlsx well, I would make an audit by a trusted company before using it.

It almost certain that your client is using open source code all over the place. E.g. if you're developing using ADT/Eclipse. So conceptually abap2xlsx is no different.

Any code - whether developed directly on the system, or imported from a git repository - should be checked for security issues. At the very least use the checks built into SCI. There are also SAP Partners who will sell software that does even more checks than SCI.

I easily got permission to put abap2xlsx into a company in a highly regulated industry. There was a clear business need for it. That's probably the biggest "reassurance" the client is likely to need. Either install abap2xlsx or waste thousands of dollars re-inventing the wheel.

Thank you all for your responses.

What I did on my side - and tell me if it makes sense for you too - is to pass the abap2xls code in the SCII transaction with the security variants SECURITY_CHECK_ALL which check a set of important points.