Eclipse Steady (Incubator Project)

License PRs Welcome Build Status Release

Discover, assess and mitigate known vulnerabilities in your Java and Python projects

Eclipse Steady supports software development organizations in regards to the secure use of open-source components during application development. The tool analyzes Java and Python applications in order to:

As such, it addresses the OWASP Top 10 security risk A9, Using Components with Known Vulnerabilities, which is often the root cause of data breaches:

In comparison to other tools, the detection is code-centric and usage-based, which allows for more accurate detection and assessment than tools relying on meta-data. It is a collection of client-side scan tools, microservices and rich OpenUI5 Web frontends.

Read more in our Docs


Originally developed by SAP Security Research, the tool is productively used at SAP since late 2016 (but an earlier prototype was available since 2015). In April 2017, the tool became the officially recommended open-source scan solution for Java (and then Python) applications at SAP. As of April 2019, it has been used to perform 1M+ scans of ~1000 Java and Python development projects, and its adoption is growing at a steady pace.

The tool approach is best described in the following scientific papers, please cite these if you use the tool for your research work:



Eclipse Steady has a distributed architecture composed of a couple of Spring Boot microservices, two Web frontends and a number of client-side scanners/plugins, which perform the actual analysis of application and dependency code on build systems or developer workstations.

To build/test the entire project, the following tools are needed:

Build and Test

Eclipse Steady is built with Maven. To enable the support for Gradle the profile gradle needs to be activated (-P gradle)

mvn clean install

During the installation phase of mvn all the tests are run. Long-running tests can be disabled with the flag All the tests can be disabled with the flag -DskipTests.


Due to the current lack of an authentication and authorization mechanism, it is NOT recommended to run the Web frontends and server-side microservices on systems accessible from the Internet.

Other limitations:

Todo (upcoming changes)

The following is a subset of pending feature requests:

Documentation · Support · Contributing · Deploy guide · Scan guide · Vulnerability database · Blog · CII Best Practices


Copyright (c) 2018 SAP SE or an SAP affiliate company. All rights reserved.

This project is licensed under the Apache Software License, v.2 except as noted otherwise in the LICENSE file.