I can't find the service yet (in Discovery Center). What are the costs?

What is the vulnerability scan frequency?

@MatthiasL - NO additional Licenses required.

@ThibaultChanas -Currently weekly report but after your application is deployed and active in cf runtime. 

Hey Yogananda, two quick clarifications on scope and integration to help us plan adoption and integration with our security program:

• Does the service (or its API) cover scanning of HTML5/custom UI5 applications deployed in SAP BTP (Cloud Foundry) and also in on‑premise landscapes, or is it limited to CF runtime apps?
• Can we retrieve a list of direct and transitive npm/pip packages (from package-lock.json and similar), plus severity findings per component via the API? What output formats are supported?
• Frequency: the blog mentions weekly scans. Are there options to configure a different cadence, or trigger on-demand scans?
• We already run a custom scanning pipeline and would love to better understand integration paths (API rate limits, auth, audit logs) and whether we can submit our package-lock.json as input to reduce false negatives for UI5/Node/Python stacks.
• Could you share an official SAP contact (support ticket or email)? We’d like a deeper technical walkthrough and to discuss aligning this service with our existing security processes.

Thanks,

Harjyot Sital

Hi @Yogananda 

I see this is only available for EU10, are you planning to release the Beta in the US regions also?

Hi @Harjyot, 

thanks for your questions! To answer them:

We track our development incidents over SNOW under the component: BC-CP-SEC-AVR.

Regards,

Ana

Some feedback and minor issues about the documentation:

1) When you go to the main help page and click What's New you get no results. However going there via other link (via) does yield results

2) Since it's in beta, you need to enable the beta feature for said subaccount. I feel like this should be clarified more, both from a perspective of how to activate it - but also because I get a warning when turning it on to not use it in production and that I can't disable it. So not sure if I should turn it on, even for our R&D subaccount.

3) Still can't find it in the Discovery pages, while it is mentioned that it should be. Also, another dead link under "See Always Free Tag"

4) It could be a bit more specific about what kind of 0 days and BTP specific things it detects (from)

5) When clicking the Info button from BTP to the product, it brings you to another dead URL

/Edit:  Added 6

6) When searching for Vulnerability in help.sap you don't find anything, when searching for application vulnerability you sort of find it - but neither of them are listed as products (perhaps because it's in beta?)

Really love the idea behind this product so hope these bits help to get it more used!

Can the scanner also scan different CF spaces on different subaccounts (by adding the email/auditor role) or would you need to enable it on every subaccount where you have CF spaces that you want to be scanned?

Hi @MatthiasL,

Thank you for your feedback! As for your questions, please find the answers below:

1) When you go to the main help page and click What's New you get no results. However going there via other link (via) does yield results

The "Whats New" section in our product documentation contains changes to the product itself, the other "Whats New" section is part of the overall BTP documentation which also mentions new services / products. We will definitely use that section when we add new features to the product itself.

2) Since it's in beta, you need to enable the beta feature for said subaccount. I feel like this should be clarified more, both from a perspective of how to activate it - but also because I get a warning when turning it on to not use it in production and that I can't disable it. So not sure if I should turn it on, even for our R&D subaccount.

We understand that concern. If you want to separate beta applications from your main R&D subaccount, you can also create a dedicated subaccount with access to beta features. By adding our technical user to other spaces, you can still scan them even if the service is subscribed in a different subaccount, as long as the subaccount which should be scanned is in one of the following data centers: cf-eu10 (including extension landscapes), cf-22 and cf-eu30. For security and compliance reasons, we can only scan in the same region the scanner resides in.

3) Still can't find it in the Discovery pages, while it is mentioned that it should be. Also, another dead link under "See Always Free Tag"

We are actively working on that.

4) It could be a bit more specific about what kind of 0 days and BTP specific things it detects (from)

During the beta, the scanner will only scan using the osv-scanner, when we add additional scanners we will explicitly state information about them in our documentation.

5) When clicking the Info button from BTP to the product, it brings you to another dead URL

Thank you for noticing, we are working on fixing that!

6) When searching for Vulnerability in help.sap you don't find anything, when searching for application vulnerability you sort of find it - but neither of them are listed as products (perhaps because it's in beta?)

We will have a look, it might take some time for help.sap.com to index new resources.

Best Regards,
Henry

Hi Henri,

Sorry but I disagree with your view on 1)

The URL on the main page is:

https://help.sap.com/whats-new/cf0cb2cb149647329b5d02aa96303f56?Component=application%20vulnerability%20report&locale=en-US

The URL in the other part of the documentation is:

https://help.sap.com/whats-new/cf0cb2cb149647329b5d02aa96303f56?Component=Application+Vulnerability+Report&locale=en-US

They both go to BTP, they both aim to filter on this application - except the first uses spaces instead of +

I've been test running this on some of our packages and while it does yield results it seems some fields are not returned properly:

- maxCvss is always null
- Not sure if extensive information about the global account is really neccessary, I would think it only runs within that one globalaccount?

Also, can the explanation of the API findings format a few posts above be posted in the help documentation?

Hi @MatthiasL,

thanks for your feedback! Please find the answers to your questions below:

1) Regarding the URL inconsistency:

Thanks for pointing out that. Encoding the component with %20 does not allow to filter, we will check that out.

2) maxCvss is always null

This is a known issue in the current beta version. As we are initially using the OSV scanner, the mapping to the maxCvss field is not yet complete. We are working on resolving this to ensure CVSS scores are populated correctly in a future update. In the meantime, you can rely on the priority field to help assess the severity of a finding.

3) Not sure if extensive information about the global account is really neccessary, I would think it only runs within that one globalaccount?

Thanks for the feedback, we will take this into consideration for API updates and discuss if these fields are always necessary.

4) Regarding the API documentation, we are working on it! We plan to publish it on the Business Accelerator Hub - api.sap.com.

Best regards,

Ana

Hi @Yogananda ,

thank you for providing this service in it's Beta version for testing.

I've activated it in an EU10 Subaccount and got my first scan results on January 7th 2026. For the application cap-rfc I've got 5 findings . Due to the findings I've updated the dependencies of the application and re-deployed. As I understand your previous response a new scan is triggered every week or after a new deployment. But when I checked the API today, I still have 5 findings. The Field lastFound shows me:
"lastFound": "2025-12-31T12:12:00.799Z",
for all 5 entries.

Looking forward for your input.

Best regards,
Gregor

Hello @gregorw ,

thank you for your feedback, and please excuse our delayed response. We are currently reviewing the status of your lastFound field. We’ll contact you with a solution as soon as possible.

Best regards,

Ana

Hi @Yogananda,

I understand that there are no costs in the beta version as the version is free, what will the licensing model be once the service is released?

Is it already known whether it will still be free or not?

Thanks in advance

Best regards,

Anna

Any updates on rollouts on eu20 and other datacenters? 

Thank you so much for sharing the detail step about this much needed service. When is this available for US region?

I noticed that when I decide I don't want to scan a certain subaccount/space anymore, the results don't disappear.

I had included our R&D space, with a lot of spaghetti code, and now the results seem 'stuck' in the API - while I've removed access from the scanner. And yes, I waited a week. I see the subaccounts/spaces that are still scanned, have an updated "lastFound", but the removed things are still there with a lastFound of 1week ago. Not sure if I'm missing something or if this is something a beta is for 😉

@MatthiasL 

you must remove the user (application-vulnerability-report-scanner@sap.com) from Space Auditor role, so that it doesn't scan your sub-account.. 

if this is happening, could you pls raise a SAP Support ticket for the component mentioned in above blog.

Hmm, I had only removed it from the spaces - not the subaccount - I thought the app might have needed that. I'll check back in 1 week, thanks!

/Edit: Yes, this works.

this looks promising, also currently released UI. Are there any details / security infos about the security layer and the scanning process regarding data privacy etc.? 

https://community.sap.com/t5/technology-blog-posts-by-sap/visualize-your-application-vulnerabilities...

Nice!

Hi @Yogananda ,

just noticed that with the latest update the Application Vulnerability Report has now also it's own UI. But unfortunately this causes an issue in the SAP Build Work Zone Content Expolorer. I've filed SAP Support Case 564722/2026. Hope you can directly pick it up and provide a solution. It's currently blocking us from adding new content to the Launchpad.

Best regards,
Gregor

Thanks @gregorw ! I will follow up and thanks for bringing this point!

@Fabian_Richter , @Yogananda is the Application Vulnerability Report able to identify affected applications of the recent supply chain attack in SAP Cloud Application Programming Model & MTA Build Tool (https://me.sap.com/notes/3747787)?

BR,

Joe

@Yogananda 

When do fixed findings disappear from the database? What is the logic behind it?
I had some findings on 22.4. (lastFound = 22.4, firstFind = null). A few days later, I fixed the findings.
At the next scan, on 29.4. the entries were unchanged: lastFound = 22.4, firstFind = null.
Today the database is empty, API returns NO_FINDINGS_FOUND.

Hi @JoeGoerlich,

if an application is using one of the affected versions, the Application Vulnerability Report will generate a finding for each affected package. 

Best Regards,
Henry

Hi @flusch,

we store findings with a retention period of 8 days, after 8 days the findings are removed if they have not been found in another scan.

Best Regards
Henry

Hi @henry_brink,

using the example of the recent NPM supply chain attack, waiting for a week for the next scan is not the best idea :-). How can the situation be improved?

Hi @flusch,

I'll agree, therefore we have temporarily increased the frequency of the scans and also run an ad-hoc scan on thursday, so that we'll catch affected applications quickly.

Best Regards,
Henry

Hello @henry_brink,

is it on the roadmap to allow customer to start a scan manually? 

Or will frequency increased by default?

Thanks

Michael 

Hi @henry_brink ,

That's awesome and shows it's full potential. I've two more technical questions about this:

1) Would you happen to have the relevant "Source Vulnerability ID" for the sap npm issue so we can more easily monitor for them (we've quite some findings in our older apps and it's hard to scroll through them all)
2) How would the scenario play out that a developer has loaded this into his BAS (I guess you can do npm install there too afterall) and thus the issue is within his environment and active, is this something SAP is screening/cleaning? This tool AFAIK only checks the deployed programs, but not whatever someone has running in BAS or VS. Any ideas?

Hi @Michael-G,

we are considering to allow manual scans in future, but have not yet added this to the roadmap, as we have to assess all the prerequisites before adding this feature.

For now, we have temporarily increased the frequency for all customers, and we'll monitor how we can adapt this in future.

Best Regards,
Henry

Hi @MatthiasL,

For 1): The Source Vulnerability IDs for the affected SAP Packages are:
- MAL-2026-3179 (mbt)
- MAL-2026-3178 (@cap-js/sqlite)
- MAL-2026-3176 (@cap-js/postgres)
- MAL-2026-3176 (@cap-js/db-scanner)

For 2): BAS is currently out of scope for the Application Vulnerability Report, as I'm not an expert for BAS I can't help there. For local VS Code deployments, I'll suggest to use the steps outlined in the SAP Note: https://me.sap.com/notes/3747787, watch audit logs and if in doubt rotate credentials.

Best Regards,
Henry