© All rights reserved. Powered by Techronicler 

Optimizing ATC for Refined Advanced Business Application Development

By Christoph Nagy, SecurityBridge

February 16, 2026

 

ATC (ABAP Test Cockpit), formerly known as the SAP Code Inspector (SCI),  plays a crucial role in analyzing ABAP code. ATC is the current free, code-checking solution provided by SAP and available in every SAP NetWeaver or S/4HANA system. However, it does not seem to get the recognition it deserves. Many SAP teams know they have it, but it’s taken for granted and used only during late-stage cleanups, and maybe never used at all.

This is an unfortunate mistake! When properly configured, ATC is one of the quickest and easiest ways to improve ABAP quality, reduce performance risk, and identify security weaknesses before the custom code reaches production.

Why ATC Matters

ATC isn’t just a linting tool; it’s a governance control. It lets SAP leaders define what “acceptable ABAP” means—and then gives them the power to enforce this consistently across teams, packages, and release cycles. This ability is essential in modern SAP landscapes, whether they be (cloud-connected, hybrid, or targeted), as the consistency means issues can be found in testing rather than during an outage.

What SCI Checks

In addition, ATC analyzes ABAP repository objects against a defined rule set. The most useful categories include:

  • SQL and database access patterns (performance and stability)

  • Inefficient constructs (loops, nested processing, avoidable expensive operations)

  • Security-relevant checks

  • HANA migration checks

  • Standards and conventions (consistency across teams)

The Real Problem is The “Variant”

When typical teams run ATC, they often see a massive number of messages and back away, thinking it’s unusable. The problem, though, is usually not with ATC — it’s the variant. Good SAP teams protect their variants in the same way they defend their transport strategy or release governance. A good variant produces a signal, not noise.

3-Tier Variant Model

Tier 1: Developer Local (fast, high-signal):

Used frequently by developers. Focus on issues that are expensive to fix later:

     • Open SQL inside loops

     • Risky statements in critical paths

     • Problematic errors that can block transport

     • High-confidence security findings

Tier 2: Project Quality Gate (stricter):

Used before code moves forward:

     • Extended performance checks

     • Broader security coverage

     • Enforceable conventions

Tier 3: Legacy Hygiene (non-blocking):

Used for ongoing modernization:

     • Naming inconsistencies

     • Refactoring opportunities

     • Older patterns that should be phased out over time

Stop Running ATC “Program by Program”

The trick to running a useful ATC is to run it the way SAP development is actually organized. Use object sets based on:

  • Packages

  • Software components

  • Application domains (FI/CO, MM, SD)

  • Transport scopes

It’s rare to find that ABAP issues are isolated; they tend to cluster across packages and shared utility code.

Operationalize ATC Without Slowing Development 

Steps to a practical implementation include:

1) Standardizing how teams run ATC (ATC as the primary transaction; SCII only when needed)

2) Publishing approved variants (don’t let every developer invent their own)

3) Aligning output severity so developers know what is blocking vs cleanup:

     – Errors = must fix

     – Warnings = risk (prioritize)

     – Info = continuous improvement

ATC variants can be used as a quality gate, for example, to block transport exports from development systems if critical findings still exist. In addition, ATC supports structured exception handling (called “Exemptions” by SAP) via a lightweight workflow. This allows, for example, a development lead to approve an exception so that a transport can proceed with a green status despite an existing finding. 

This is a key improvement compared to the old SCI approach, where exceptions were mainly handled via pseudo comments in the code. ATC provides a much cleaner, more transparent, and governance-friendly mechanism.

The Force Multiplier: ATC Integration

For the best quality, don’t rely solely on individual discipline. ATC checks can run centrally and consistently, and enable: 

  • Centralized rule governance

  • Transport/release quality gates

  • Consistent enforcement across teams.

A best-practice model has ATC running a stricter variant at defined release points.

Performance Checks

Performance wins in ABAP are structural. ATC can catch high-impact patterns such as:

  • Repeated SELECTs in loops

  • Missing or weak WHERE clauses

  • SQL patterns that increase full table scan risk

  • Nested loops over large internal tables.

Fixing these issues improves dialog performance, batch runtimes, and overall database load.

Security: Shift-Left, But Don’t Overclaim

​ATC also includes security-relevant checks; it is not a runtime threat-detection platform. It can’t be used to detect live attacks, lateral movement, or exploitation attempts. Its value is shift-left. It prevents weak patterns from ever shipping.

Bottom Line

The best SAP development organizations see ATC as the standard. With curated variants, object-set governance, and enforcement, ATC becomes part of how SAP needs to be managed. The result is higher-quality ABAP with fewer stability incidents, remediation cycles, and unwanted surprises in production.

 

Christoph Nagy

Linkedin

Christoph Nagy has 20 years of working experience within the SAP industry. He utilizes this knowledge as co-founder and board member at SecurityBridge—a global SAP security provider, serving many of the world’s leading brands. Through his efforts, the SecurityBridge Platform for SAP has become renowned as a strategic security solution for automated analysis of SAP security settings and detection of cyber-attacks in real time. Prior to SecurityBridge, Nagy applied his skills as a SAP technology consultant at Adidas and Audi.

If you wish to showcase your experience and expertise, participate in industry-leading discussions, and add visibility and impact to your personal brand and business, get in touch with the Techronicler team to feature in our fast-growing publication. 

Individual Contributors:

Answer our latest queries and submit your unique insights: https://bit.ly/SubmitBrandWorxInsight

Submit your article: https://bit.ly/SubmitBrandWorxArticle

PR Representatives:

Answer the latest queries and submit insights for your client: https://bit.ly/BrandWorxInsightSubmissions

Submit an article for your client: https://bit.ly/BrandWorxArticleSubmissions

Please direct any additional questions to: connect@brandworx.digital