SAP BTP Governance for VS Code

Govern SAP BTP environments directly from your IDE — without needing SAP-specific knowledge.

Features

BTP Explorer

Browse your full SAP BTP account hierarchy — Global Account > Directories > Subaccounts > Entitlements, Environments, and Formations — in a native VS Code tree view.

Compliance Scanning

Run security assessments against SAP's BTP security recommendations. View findings by severity with one-click remediation guidance.

DR Readiness Assessment

24-point disaster recovery maturity check across 5 categories (Application Resilience, Data Protection, Network & Connectivity, Identity & Access, DR Strategy & Testing). Auto-checks via MCP tools where possible, maturity score from Ad Hoc to Optimized.

Security Posture

View your BTP security posture score (0-100) with findings broken down by category — formation anomalies, consent violations, compliance drift, and suspicious activity.

Audit Trails

Search and export BTP audit logs. Correlate events across subaccounts with CloudTrail for forensic investigations.

Code Intelligence

CodeLens on mta.yaml: Instance count DR status, HANA replica health, entitlement validation
CodeLens on manifest.yml: Instance count warnings, missing health checks for Route 53
Diagnostics: Single-instance warnings, missing health checks, hardcoded GUIDs, non-prod plans
Quick Fixes: Scale to 3 instances, add HTTP health check, extract GUID to parameter

Requirements

VS Code 1.85.0 or later (also works in Kiro)
BTP Governance MCP Server (86 tools, 13 modules)
SAP BTP account with CIS service key credentials

Setup

Install the extension
Clone and build the MCP server: npm install && npm run build
The extension auto-discovers the server at ~/btp-governance-mcp-server/dist/index.js
Run BTP: Connect to Global Account from the command palette
Enter your CIS service key credentials (stored securely in OS keychain)
The status bar shows BTP: Production (86 tools) when connected

Commands

Command	Description
`BTP: Connect to Global Account`	Connect with CIS credentials
`BTP: Run Compliance Scan`	Security assessment with severity dashboard
`BTP: Check DR Readiness`	24-point DR maturity assessment
`BTP: View Subaccount Details`	Entitlements, environments, formations
`BTP: Show Available MCP Tools`	Browse all 86 governance tools
`BTP: Refresh Explorer`	Refresh the BTP account tree

Architecture

The extension communicates with a local MCP server over STDIO — the same pattern as TypeScript language servers. No cloud dependency, no data leaves your machine except direct BTP API calls.

VS Code Extension <-> BTP Governance MCP Server (STDIO) <-> SAP BTP APIs + AWS Services

MCP Server Modules (86 tools)

Module	Tools	Coverage
Accounts	12	Subaccounts, entitlements, environments, costs
Identity	12	IAS users, groups, MFA, inactive user detection
Authorization	12	XSUAA roles, security config, least privilege
Audit	7	Audit logs, security events, report generation
Connectivity	4	Destinations, certificates
Monitoring	7	Alerts, CloudTrail, security posture
Formations	7	Formation CRUD, system management, sync
Regions	3	Regional validation, EU Access enforcement
Consent	5	Consent workflows, segregation of duties
Compliance	5	Evaluation, rules, auto-remediation
Security	7	Posture scoring, UCL/external detection
Transport	2	Transport nodes, deployment audit
HANA	3	Instances, replication, backup health

License

MIT

SAP BTP on AWS Governance and Security

Mario de Felipe