# Jira Integration (Security Design Review)

### Overview

The Jira integration embeds DevArmor's Security Review workflow into your issue tracking process. When a developer creates a new Jira task or epic, DevArmor evaluates it against your organization's threat model and posts a structured security design review back into the ticket, before implementation begins.

Security requirements, recommended controls, and relevant design patterns reach engineers at planning time, not after the fact. Security engineers no longer need to manually triage every ticket: DevArmor classifies and reviews automatically, surfacing only the issues that warrant human attention.

Engineers interact entirely within Jira. The DevArmor Forge app adds a panel directly to each issue, showing the security review status and results inline.

### Integration Type

DevArmor connects to Jira using an **Atlassian Forge app** — Atlassian's native, cloud-hosted integration framework. The app is installed from the Atlassian Marketplace and runs on Atlassian infrastructure with permissions granted through the standard Atlassian app consent flow. No self-hosted components or custom webhooks are required.

**Supported platforms:** Jira Cloud only. Jira Server and Data Center are not supported yet.

**Permissions requested at install:**

* Read access to issues and projects
* Write access to post comments on issues
* Read access to user email addresses (for account matching)

### How It Works

#### Automated Security Review

```mermaid
flowchart LR
    A[Developer creates\nJira task or epic] --> B[DevArmor classifies ticket]
    B --> C{Security\nsignificant?}
    C -- Yes --> D[Run security\ndesign review]
    C -- No --> E[No action]
    D --> F[Post requirements,\ncontrols & patterns\nto ticket]
```

DevArmor evaluates every new ticket against your threat model and posts review results back into Jira for security-significant work.

1. A developer creates a new task or epic in a monitored Jira project.
2. DevArmor classifies the ticket against your organization's threat model.
3. If security-significant, DevArmor runs a security design review and posts a structured comment to the ticket containing:
   * Security requirements the implementation must satisfy
   * Recommended controls for the specific feature
   * Applicable design patterns from your organization's approved pattern library
4. If not security-significant, no action is taken.

#### Manual Review

From the DevArmor panel within any Jira issue, click **Run Security Review** to trigger or re-run a review on demand. Use this when a ticket has been updated since the initial automated review, or when the automated review was skipped.

#### Inline Panel

The DevArmor Forge app adds a panel to every Jira issue, visible in the backlog, board modal, and full-screen issue views, showing the review status and results without leaving Jira.

### Prerequisites

* A DevArmor organization with at least one threat model configured
* The DevArmor Forge app installed in your Atlassian workspace via the Atlassian Marketplace
* Jira Cloud workspace (Server and Data Center are not supported)

### Installation

1. Install the DevArmor Forge app from the Atlassian Marketplace. Follow the link from within DevArmor app's Integrations page, or use this [direct link](https://developer.atlassian.com/console/install/99e8156a-5a8d-4de0-872f-b3a41ff56c08?signature=AYABeETxK7eJgbL0hrcp0mvJa4YAAAADAAdhd3Mta21zAEthcm46YXdzOmttczp1cy13ZXN0LTI6NzA5NTg3ODM1MjQzOmtleS83MDVlZDY3MC1mNTdjLTQxYjUtOWY5Yi1lM2YyZGNjMTQ2ZTcAuAECAQB4IOp8r3eKNYw8z2v%2FEq3%2FfvrZguoGsXpNSaDveR%2FF%2Fo0BXCohExkzjSPPgCVMh8HihQAAAH4wfAYJKoZIhvcNAQcGoG8wbQIBADBoBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDO%2FIPQWIR2%2B85US6ZQIBEIA7ms9qr1AuOnDjx8Gzap%2Bk0W%2FNLmhUY4LNp5StGaWhBehhJM8gavG4qOEN5yrzPZVxOJUKtDRWcDN5hzsAB2F3cy1rbXMAS2Fybjphd3M6a21zOmV1LXdlc3QtMTo3MDk1ODc4MzUyNDM6a2V5LzQ2MzBjZTZiLTAwYzMtNGRlMi04NzdiLTYyN2UyMDYwZTVjYwC4AQICAHijmwVTMt6Oj3F%2B0%2B0cVrojrS8yZ9ktpdfDxqPMSIkvHAHrFvY6ClvsefAtxT3TBNSPAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMAHBw7KzxgkjJxPYgAgEQgDve8Fmp5ylYZP1hOw%2BctC%2FWexQWPkV2kMrLonShs1ChxFkI46t%2BYv5rIG%2F%2FYNbchvvZ8Hylb37%2FHUeIuQAHYXdzLWttcwBLYXJuOmF3czprbXM6dXMtZWFzdC0xOjcwOTU4NzgzNTI0MzprZXkvNmMxMjBiYTAtNGNkNS00OTg1LWI4MmUtNDBhMDQ5NTJjYzU3ALgBAgIAeLKa7Dfn9BgbXaQmJGrkKztjV4vrreTkqr7wGwhqIYs5AaPkP%2F15wcKa1vZhbNXytakAAAB%2BMHwGCSqGSIb3DQEHBqBvMG0CAQAwaAYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAxfvwddkOH7ANVUhnECARCAOyFZyw37viPuJfWxorHvbPFOJHrx4iUs7ESsvAb%2BaMicAdsVGMZboWfcOsQjCNNNyM8sz1%2BxfURrAabtAgAAAAAMAAAQAAAAAAAAAAAAAAAAAFJ63O8zspM%2FvDIHqhmj%2B1H%2F%2F%2F%2F%2FAAAAAQAAAAAAAAAAAAAAAQAAADLzas6VXXfI9GFzoou%2FC3mh%2FEnii3r1O0%2BFePJCF1SurODGfI6oLzj%2FFlnev8t0sp%2BNtRdhEGp5uXROEDrmh6O0rfA%3D\&product=jira).
2. Accept the requested permissions during the Atlassian consent flow.
3. DevArmor matches your Atlassian workspace to your DevArmor organization using your email domain. No additional configuration is required.

All Jira projects are monitored by default. To restrict coverage to specific projects, update the **Monitored Projects** setting in your DevArmor organization settings.

### Review Output

| Field                         | Description                                                                         |
| ----------------------------- | ----------------------------------------------------------------------------------- |
| **Potential Security Issues** | Potential issues, threats, and abuse cases identified based on the proposed design. |
| **Security Requirements**     | Properties the implementation must satisfy, derived from your threat model.         |

High-criticality items are security requirements; lower-criticality items are recommendations.