The UID 2 Project is subject to Tech Lab IPR’s Policy and is managed by the IAB Tech Lab Addressability Working Group and Privacy & Rearc Commit Group. Please review the governance rules here
To run unit tests:
mvn clean test
To package application:
mvn package
To run application:
- use
conf/local-config.jsonto run standalone operator service for local debugging, which loads salts, keys and optout from mock storage provider, and doesn't communicate with uid2-core and uid2-optout.
mvn clean compile exec:java -Dvertx-config-path=conf/local-config.json
- use
conf/integ-config.jsonto run optout operator that integrates with uid2-core (default runs onlocalhost:8088) and uid2-optout (default runs onlocalhost:8081)
mvn clean compile exec:java -Dvertx-config-path=conf/integ-config.json
- In Dockerfile, change the line
to:
COPY ./conf/default-config.json /app/conf/COPY ./conf/docker-config.json /app/conf/local-config.json - Run
mvn package - Go to
pom.xmland find the version wrapped under<version>tag - Run
docker build -t uid2-operator --build-arg JAR_VERSION={version you find in step 3} . - Run
docker run -it -p 8080:8080 uid2-operator:latest - Go to postman and test on endpoint
http://localhost:8080/v1/token/generate?email=exampleuser4@test.uidapi.com
The Github actions will run Trivy for vulnerability scanning as part of the build-and-test and publish-docker pipelines. However, they can also be run locally to aid in resolving these. Trivy only runs on Linux, so you will need to install WSL.
Once WSL is installed, follow these instructions:
https://aquasecurity.github.io/trivy/v0.35/getting-started/installation/
Once installed to check the code only (which is what the build-and-test pipeline does), run this command from the root directory:
wsl trivy fs .
To check the docker image (which is what the publish-docker pipeline does), build the docker image as outlined above and then run this command:
wsl trivy image <image reference>
where <image reference> is the built docker image you want to scan (uid2-latest in the example above).
Every non-snapshot image published by this repo's release workflow ships with a SLSA v1.0 build-provenance attestation, signed by GitHub's Sigstore instance via the OIDC identity of the shared publish workflow. The attestation cryptographically binds the image digest to the source commit, the signing workflow, and the runner that built it.
To verify an image, install gh (≥ 2.49) and run:
gh attestation verify \
oci://ghcr.io/iabtechlab/uid2-operator:<tag> \
--owner IABTechLab \
--signer-repo IABTechLab/uid2-shared-actionsA successful run prints ✓ Verification succeeded! followed by the SLSA provenance fields — including sourceRepositoryDigest (the source commit), workflow.path (the signing workflow), and the runner identity.
Snapshot tags (-SNAPSHOT suffix) deliberately skip attestation. gh attestation verify returns no attestations found against a snapshot — that's expected.