I know there are other tools available that try to map this and create some UIs for risk workflows, but I believe that you need something very close to the way developers work. GitHub and JIRA meet this essential requirement, as they are both connected to the source code.
JIRA is more powerful from the point of view of workflows. JIRA allows you to have more complex workflows, which is quite interesting, and JIRA gives you a risk acceptance button, which is very powerful.
GitHub is simpler than JIRA, and can be easier and faster to use, although its reporting capabilities aren't as built as JIRA's.
These two tools are the only ones I have seen that can make this workflow perform in the real world.
(from SecDevOps Risk Workflow book, please provide feedback as an GitHub issue)
