Skip to main content
Orcho integrates directly with Jira to automatically assess the risk of every ticket as it’s created. Get real-time risk scores and recommendations before work begins, helping teams prioritize security reviews and prevent high-risk implementations.

Features

Automatic Assessment

Risk assessment runs automatically on ticket creation

Smart Warnings

High-risk tickets are flagged immediately with clear warnings

Team Visibility

Risk scores visible to entire team in ticket metadata

Workflow Integration

Block or require approval for critical-risk tickets

How It Works

When a developer creates a Jira ticket, Orcho automatically:
1

Ticket created

Developer creates a new Jira ticket with title and description
2

Orcho analyzes

The Orcho app intercepts the creation event and calls the assess_risk API with the ticket content
3

Risk assessment returned

Orcho evaluates the ticket for:
  • Data sensitivity
  • Input clarity
  • Potential blast radius
  • Security concerns
4

Risk displayed

Risk score and level are added as custom fields on the ticket:
  • Risk Score: 0.72
  • Risk Level: HIGH
  • Recommendations: Review required before implementation
5

Team notified

For high-risk tickets (≥ 0.6), stakeholders are automatically notified

Installation

1

Install Orcho for Jira

Visit the Atlassian Marketplace and search for “Orcho Risk Assessment”
Or have your Jira admin install from the Apps section
2

Contact for API key

Email [email protected] to request an API key for your organization
3

Configure the app

In Jira, go to:
  1. Settings → Apps → Manage Apps
  2. Find “Orcho Risk Assessment”
  3. Click “Configure”
  4. Enter your API key
  5. Save configuration
4

Enable for projects

Choose which Jira projects should have automatic risk assessment:
  1. Settings → Apps → Orcho Configuration
  2. Select projects to enable
  3. Configure risk thresholds (optional)
  4. Save changes
5

Test the integration

Create a test ticket with a high-risk description:
Title: Delete all production user data
Description: Remove all users from the production database to clean up old accounts
Verify that the risk assessment appears on the ticket

Risk Assessment Fields

Orcho adds the following custom fields to your Jira tickets:
Orcho Risk Score
number
Overall risk score from 0.0 (minimal risk) to 1.0 (critical risk)Example: 0.72
Orcho Risk Level
string
Risk level category: minimal, low, medium, high, or criticalExample: HIGH
Orcho Risk Factors
object
Breakdown of individual risk factor scoresExample:
Data Sensitivity: 0.85
Input Clarity: 0.62
Blast Radius: N/A (no context)
Orcho Recommendations
array
Actionable recommendations for mitigating riskExample:
  • Add WHERE clause to limit scope
  • Require security team approval
  • Create backup before deletion
Orcho Assessment Date
datetime
Timestamp when risk assessment was performedExample: 2026-01-08T14:30:00Z

Example Risk Assessment

High-Risk Ticket

JIRA-1234: Delete inactive user accounts

Risk Assessment:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
⚠️  HIGH RISK (Score: 0.78)

Risk Factors:
• Data Sensitivity: 0.92 (CRITICAL)
• Input Clarity: 0.68 (HIGH)
• Blast Radius: 0.65 (HIGH)

Recommendations:
• REVIEW_REQUIRED - Significant risk factors present
• Add specific criteria for "inactive" (e.g., no login > 90 days)
• Implement soft delete instead of hard delete
• Require manual approval from security team
• Create full database backup before execution
• Test on staging environment first

⚠️  This ticket has been flagged for security review
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Low-Risk Ticket

JIRA-1235: Update button color on homepage

Risk Assessment:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✓  LOW RISK (Score: 0.18)

Risk Factors:
• Data Sensitivity: 0.05 (MINIMAL)
• Input Clarity: 0.25 (LOW)
• Blast Radius: 0.15 (MINIMAL)

Recommendations:
• SAFE - Minimal risk detected
• Proceed with standard development workflow

✓  This ticket is safe to implement
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Workflow Automation

Automatic Approvals

Configure Jira workflows to require approvals based on risk:
Require approval from:
  • Security team lead
  • Engineering manager
  • Product owner
Workflow:
  1. Ticket created → Risk assessed
  2. If risk ≥ 0.6 → Status changes to “Security Review”
  3. Security team notified automatically
  4. Requires approval before moving to “In Progress”

Configuration Options

Risk Thresholds

Customize thresholds for your organization:
warning_threshold
number
default:"0.6"
Risk score that triggers warnings and notificationsDefault: 0.6 (high risk)
blocking_threshold
number
default:"0.8"
Risk score that blocks ticket from moving to developmentDefault: 0.8 (critical risk)
auto_approve_threshold
number
default:"0.4"
Risk score below which tickets are auto-approvedDefault: 0.4 (medium risk)

Notification Settings

notify_high_risk
boolean
default:"true"
Send notifications for high-risk tickets (≥ 0.6)
notify_critical_risk
boolean
default:"true"
Send notifications for critical-risk tickets (≥ 0.8)
notification_channels
array
Where to send notifications: email, slack, jira-commentDefault: ["email", "jira-comment"]
notification_recipients
object
Who receives notifications for each risk levelExample:
{
  "high_risk": ["[email protected]"],
  "critical_risk": ["[email protected]", "[email protected]"]
}

JQL Queries

Use Jira Query Language to find tickets by risk level:

Find High-Risk Tickets

"Orcho Risk Level" = "HIGH" OR "Orcho Risk Level" = "CRITICAL"

Find Tickets Needing Review

"Orcho Risk Score" >= 0.6 AND status = "Security Review"

Find Safe-to-Implement Tickets

"Orcho Risk Level" IN ("MINIMAL", "LOW") AND status = "Ready for Development"

Find Tickets by Risk Factor

"Orcho Risk Factors" ~ "Data Sensitivity: 0.9*"

Dashboards & Reports

Risk Distribution Dashboard

Create a dashboard showing:
  • Total tickets by risk level (pie chart)
  • Risk score distribution (histogram)
  • Average risk score trend over time (line chart)
  • High-risk tickets by assignee (bar chart)

Security Review Board

Track tickets requiring security review:
  • Pending security reviews
  • Average time in security review
  • Approval vs rejection rate
  • Most common high-risk patterns

Troubleshooting

Check app installation:
  1. Go to Settings → Apps → Manage Apps
  2. Verify “Orcho Risk Assessment” is installed
  3. Check that app is enabled
Verify API key:
  1. Settings → Apps → Orcho Configuration
  2. Ensure API key is entered correctly
  3. Test connection with “Test API Key” button
Check project settings:
  1. Verify risk assessment is enabled for this project
  2. Check that user has permission to view custom fields
Invalid API Key:
  • Contact [email protected] to verify key
  • Check for extra spaces or special characters
  • Try regenerating the key
Rate Limits:Connection Errors:
  • Verify Jira can reach app.orcho.ai
  • Check firewall/proxy settings
  • Contact IT to whitelist Orcho API
Update ticket for reassessment:
  1. Edit ticket title or description
  2. Save changes
  3. Risk will be reassessed automatically
Manual reassessment:
  1. Click “More” (•••) on ticket
  2. Select “Reassess Risk” from Orcho menu
  3. New assessment will replace old one
Adjust risk thresholds:
  1. Settings → Apps → Orcho Configuration
  2. Customize thresholds for your needs
  3. Save and test with sample tickets
Check notification settings:
  1. Settings → Apps → Orcho Configuration
  2. Verify notification channels are enabled
  3. Check recipient email addresses
Test notifications:
  1. Create a test high-risk ticket
  2. Check spam folders
  3. Verify Slack webhook is configured correctly
Permission issues:
  • Ensure recipients have access to project
  • Check Jira notification scheme settings

Best Practices

1

Start with monitoring mode

Enable for 1-2 projects initially to tune thresholds before org-wide rollout
2

Train your team

Educate developers on:
  • How risk assessment works
  • What different risk levels mean
  • How to write safer ticket descriptions
3

Review blocked tickets

Hold weekly reviews of blocked tickets to:
  • Understand common high-risk patterns
  • Adjust thresholds if needed
  • Improve ticket writing practices
4

Integrate with existing workflows

Don’t create parallel workflows - integrate risk assessment into existing approval processes
5

Monitor and iterate

Track metrics:
  • False positive rate (safe tickets marked high-risk)
  • False negative rate (risky tickets marked low-risk)
  • Time spent in security review
  • Developer feedback

Advanced Features

Custom Risk Weights

Adjust risk factor weights based on your organization’s priorities: 
{
  "data_sensitivity": 0.40,
  "input_clarity": 0.30,
  "blast_radius": 0.20,
  "legal_ip_risk": 0.10
}
Configure in: Settings → Apps → Orcho Configuration → Risk Weights

Jira Automation Rules

Create automation rules triggered by risk assessment: Example: Auto-assign high-risk tickets 
Trigger: Issue Created
Condition: Orcho Risk Level = "HIGH" OR "CRITICAL"
Action: Assign to Security Team
Example: Add label for tracking 
Trigger: Issue Created
Condition: Orcho Risk Score >= 0.6
Action: Add label "security-review-required"
Example: Update priority 
Trigger: Issue Created  
Condition: Orcho Risk Level = "CRITICAL"
Action: Set Priority = Highest

Integration with Other Tools

Slack Notifications

Connect Orcho risk assessments to Slack:
  1. Install Jira for Slack
  2. Configure webhook in Orcho settings
  3. Get notifications in #security-alerts channel
  4. Include risk score and direct link to ticket

Confluence Documentation

Automatically create security review docs:
  1. High-risk ticket created
  2. Orcho creates Confluence page with risk details
  3. Security team adds review notes
  4. Link back to Jira ticket

Support

Need help with the Jira integration?

Install App

Find us on Atlassian Marketplace

Get API Key

Contact us for an API key

API Documentation

Review the REST API docs

Email Support

Contact support team

Next Steps

1

Install the Jira app

Search for “Orcho” in Atlassian Marketplace
2

Get your API key

Contact [email protected]
3

Configure risk thresholds

Set thresholds that match your security policy
4

Enable for pilot project

Start with one project to tune settings
5

Train your team

Help developers understand risk assessment
6

Roll out organization-wide

Expand to all projects once validated