update link format (goodwithtech#62)

CHECKPOINT.md

@@ -5,7 +5,8 @@
 
 These checkpoints refered to [CIS Docker 1.13.0 Benchmark v1.0.0](https://www.cisecurity.org/benchmark/docker/).
 
-### CIS-DI-0001: Create a user for the container
+### CIS-DI-0001
+**Create a user for the container**
 
 > Create a non-root user for the container in the Dockerfile for the container image.
 >
@@ -23,20 +24,24 @@ USER dockle
 
 ```
 
-### CIS-DI-0002: Use trusted base images for containers
+### CIS-DI-0002
+**Use trusted base images for containers**
 
 Dockle checks [Content Trust](https://docs.docker.com/engine/security/trust/content_trust/).
 
-### CIS-DI-0003: Do not install unnecessary packages in the container
+### CIS-DI-0003
+**Do not install unnecessary packages in the container**
 
 Not supported.
 
-### CIS-DI-0004: Scan and rebuild the images to include security patches
+### CIS-DI-0004
+**Scan and rebuild the images to include security patches**
 
 Not supported.
 Please check with [Trivy](https://github.com/knqyf263/trivy).
 
-### CIS-DI-0005: Enable Content trust for Docker
+### CIS-DI-0005
+**Enable Content trust for Docker**
 
 > Content trust is disabled by default. You should enable it.
 
@@ -53,7 +58,8 @@ $ export DOCKER_CONTENT_TRUST=1
     >   - `$ docker pull` of an unsigned image.
     >   - `$ docker build` where the FROM image is not signed or is not scratch.
 
-### CIS-DI-0006: Add `HEALTHCHECK` instruction to the container image
+### CIS-DI-0006
+**Add `HEALTHCHECK` instruction to the container image**
 
 > Add `HEALTHCHECK` instruction in your docker container images to perform the health check on running containers.<br/>
 > Based on the reported health status, the docker engine could then exit non-working containers and instantiate new ones.
@@ -64,7 +70,8 @@ HEALTHCHECK --interval=5m --timeout=3s \
   CMD curl -f http://localhost/ || exit 1
 ```
 
-### CIS-DI-0007: Do not use `update` instructions alone in the Dockerfile
+### CIS-DI-0007
+**Do not use `update` instructions alone in the Dockerfile**
 
 > Do not use `update` instructions such as `apt-get update` alone or in a single line in the Dockerfile.<br/>
 > Adding the `update` instructions in a single line on the Dockerfile will cache the update layer.
@@ -73,7 +80,8 @@ HEALTHCHECK --interval=5m --timeout=3s \
 RUN apt-get update && apt-get install -y package-a
 ```
 
-### CIS-DI-0008: Confirm safety of `setuid` and `setgid` files
+### CIS-DI-0008
+**Confirm safety of `setuid` and `setgid` files**
 
 > Removing `setuid` and `setgid` permissions in the images would prevent privilege escalation attacks in the containers.<br/>
 > `setuid` and `setgid` permissions could be used for elevating privileges.
@@ -83,7 +91,8 @@ chmod u-s setuid-file
 chmod u-g setgid-file
 ```
 
-### CIS-DI-0009: Use `COPY` instead of `ADD` in Dockerfile
+### CIS-DI-0009
+**Use `COPY` instead of `ADD` in Dockerfile**
 
 > Use `COPY` instruction instead of `ADD` instruction in the Dockerfile.<br/>
 > `ADD` instruction introduces risks such as adding malicious files from URLs without scanning and unpacking procedure vulnerabilities.
@@ -95,14 +104,16 @@ ADD test.json /app/test.json
 COPY test.json /app/test.json
 ```
 
-### CIS-DI-0010: Do not store secrets in Dockerfiles
+### CIS-DI-0010
+**Do not store secrets in Dockerfiles**
 
 > Do not store any secrets in Dockerfiles.<br/>
 > the secrets within these Dockerfiles could be easily exposed and potentially be exploited.
 
 `Dockle` checks ENVIRONMENT variables and credential files.
 
-### CIS-DI-0011: Install verified packages only
+### CIS-DI-0011
+**Install verified packages only**
 
 Not supported.
 It's better to use [Trivy](https://github.com/knqyf263/trivy).
@@ -111,13 +122,15 @@ It's better to use [Trivy](https://github.com/knqyf263/trivy).
 
 These checkpoints referred to [Docker Best Practice](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/) and so on.
 
-### DKL-DI-0001: Avoid `sudo` command
+### DKL-DI-0001
+**Avoid `sudo` command**
 
 - https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user
 
     > Avoid installing or using sudo as it has unpredictable TTY and signal-forwarding behavior that can cause problems.
 
-### DKL-DI-0002: Avoid sensitive directory mounting
+### DKL-DI-0002
+**Avoid sensitive directory mounting**
 
 A volume mount makes weak points. This depends on mounting volumes.
 
@@ -128,29 +141,33 @@ Currently, `Dockle` checks following directories:
 `dockle` only checks `VOLUME` statements, since we can't check `docker run -v /lib:/lib ...`.
 
 
-### DKL-DI-0003: Avoid `apt-get upgrade`, `apk upgrade`, `dist-upgrade`
+### DKL-DI-0003
+**Avoid `apt-get upgrade`, `apk upgrade`, `dist-upgrade`**
 
 - https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#apt-get
 
     > Avoid `RUN apt-get upgrade` and `dist-upgrade`, as many of the “essential” packages from the parent images cannot upgrade inside an unprivileged container.
 
-### DKL-DI-0004: Use `apk add` with `--no-cache`
+### DKL-DI-0004
+**Use `apk add` with `--no-cache`**
 
 - https://github.com/gliderlabs/docker-alpine/blob/master/docs/usage.md#disabling-cache
 
     > As of Alpine Linux 3.3 there exists a new `--no-cache` option for `apk`. It allows users to install packages with an index that is updated and used on-the-fly and not cached locally:<br/>
     > ...<br/>
     > This avoids the need to use `--update` and remove `/var/cache/apk/*` when done installing packages.
 
-### DKL-DI-0005: Clear `apt-get` caches
+### DKL-DI-0005
+**Clear `apt-get` caches**
 
 Use `apt-get clean && rm -rf /var/lib/apt/lists/*` after `apt-get install`.
 
 - https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#apt-get
 
     > In addition, when you clean up the `apt cache` by removing `/var/lib/apt/lists` it reduces the image size, since the apt cache is not stored in a layer. Since the `RUN` statement starts with `apt-get update`, the package cache is always refreshed prior to `apt-get install`.
 
-### DKL-DI-0006: Avoid `latest` tag
+### DKL-DI-0006
+**Avoid `latest` tag**
 
 - https://vsupalov.com/docker-latest-tag/
 
@@ -160,18 +177,21 @@ Use `apt-get clean && rm -rf /var/lib/apt/lists/*` after `apt-get install`.
 
 These checkpoints referred to [Linux Best Practices](https://www.cyberciti.biz/tips/linux-security.html) and so on.
 
-### DKL-LI-0001: Avoid empty password
+### DKL-LI-0001
+**Avoid empty password**
 
 - https://blog.aquasec.com/cve-2019-5021-alpine-docker-image-vulnerability
 
     > CVE-2019-5021: Alpine Docker Image "null root password" Vulnerability
 
-### DKL-LI-0002: Be unique UID/GROUPs
+### DKL-LI-0002
+**Be unique UID/GROUPs**
 
 - http://www.linfo.org/uid.html
 
     > Contrary to popular belief, it is not necessary that each entry in the UID field be unique. However, non-unique UIDs can cause security problems, and thus UIDs should be kept unique across the entire organization.
 
-### DKL-LI-0003: Only put necessary files
+### DKL-LI-0003
+**Only put necessary files**
 
 Check `.cache`, `tmp` and so on directories.

README.md

@@ -244,28 +244,28 @@ $ docker run --rm goodwithtech/dockle:v${DOCKLE_LATEST} [YOUR_IMAGE_NAME]
 | CODE | DESCRIPTION | LEVEL[※](#level) |
 |---|---|:---:|
 | | [CIS's Docker Image Checkpoints](CHECKPOINT.md#docker-image-checkpoints) | |
-| [CIS-DI-0001](CHECKPOINT.md#cis-di-0001-create-a-user-for-the-container) | Create a user for the container | WARN |
-| [CIS-DI-0002](CHECKPOINT.md#cis-di-0002-use-trusted-base-images-for-containers) | Use trusted base images for containers | FATAL
-| [CIS-DI-0003](CHECKPOINT.md#cis-di-0003-do-not-install-unnecessary-packages-in-the-container) | Do not install unnecessary packages in the container | FATAL
-| [CIS-DI-0004](CHECKPOINT.md#cis-di-0004-scan-and-rebuild-the-images-to-include-security-patches) | Scan and rebuild the images to include security patches | FATAL
-| [CIS-DI-0005](CHECKPOINT.md#cis-di-0005-enable-content-trust-for-docker) | Enable Content trust for Docker | INFO
-| [CIS-DI-0006](CHECKPOINT.md#cis-di-0006-add-healthcheck-instruction-to-the-container-image) | Add `HEALTHCHECK` instruction to the container image | WARN
-| [CIS-DI-0007](CHECKPOINT.md#cis-di-0007-do-not-use-update-instructions-alone-in-the-dockerfile) | Do not use `update` instructions alone in the Dockerfile | FATAL
-| [CIS-DI-0008](CHECKPOINT.md#cis-di-0008-comfirm-safety-of-setuid-setgid-files) | Confirm safety of `setuid` and `setgid` files | INFO
-| [CIS-DI-0009](CHECKPOINT.md#cis-di-0009-use-copy-instead-of-add-in-dockerfile) | Use `COPY` instead of `ADD` in Dockerfile | FATAL
-| [CIS-DI-0010](CHECKPOINT.md#cis-di-0010-do-not-store-secrets-in-dockerfiles) | Do not store secrets in Dockerfiles | FATAL
-| [CIS-DI-0011](CHECKPOINT.md#cis-di-0011-install-verified-packages-only) | Install verified packages only | INFO
+| [CIS-DI-0001](CHECKPOINT.md#cis-di-0001) | Create a user for the container | WARN |
+| [CIS-DI-0002](CHECKPOINT.md#cis-di-0002) | Use trusted base images for containers | FATAL
+| [CIS-DI-0003](CHECKPOINT.md#cis-di-0003) | Do not install unnecessary packages in the container | FATAL
+| [CIS-DI-0004](CHECKPOINT.md#cis-di-0004) | Scan and rebuild the images to include security patches | FATAL
+| [CIS-DI-0005](CHECKPOINT.md#cis-di-0005) | Enable Content trust for Docker | INFO
+| [CIS-DI-0006](CHECKPOINT.md#cis-di-0006) | Add `HEALTHCHECK` instruction to the container image | WARN
+| [CIS-DI-0007](CHECKPOINT.md#cis-di-0007) | Do not use `update` instructions alone in the Dockerfile | FATAL
+| [CIS-DI-0008](CHECKPOINT.md#cis-di-0008) | Confirm safety of `setuid` and `setgid` files | INFO
+| [CIS-DI-0009](CHECKPOINT.md#cis-di-0009) | Use `COPY` instead of `ADD` in Dockerfile | FATAL
+| [CIS-DI-0010](CHECKPOINT.md#cis-di-0010) | Do not store secrets in Dockerfiles | FATAL
+| [CIS-DI-0011](CHECKPOINT.md#cis-di-0011) | Install verified packages only | INFO
 || [Dockle Checkpoints for Docker](CHECKPOINT.md#dockle-checkpoints-for-docker) |
-| [DKL-DI-0001](CHECKPOINT.md#dkl-di-0001-avoid-sudo-command) | Avoid `sudo` command | FATAL
-| [DKL-DI-0002](CHECKPOINT.md#dkl-di-0002-avoid-sensitive-directory-mounting) | Avoid sensitive directory mounting | FATAL
-| [DKL-DI-0003](CHECKPOINT.md#dkl-di-0003-avoid-apt-get-upgrade-apk-upgrade-dist-upgrade) | Avoid `apt-get upgrade`, `apk upgrade`, `dist-upgrade` | FATAL
-| [DKL-DI-0004](CHECKPOINT.md#dkl-di-0004-use-apk-add-with---no-cache) | Use `apk add` with `--no-cache` | FATAL
-| [DKL-DI-0005](CHECKPOINT.md#dkl-di-0005-clear-apt-get-caches) | Clear `apt-get` caches | FATAL
-| [DKL-DI-0006](CHECKPOINT.md#dkl-di-0006-avoid-latest-tag) | Avoid `latest` tag | WARN
+| [DKL-DI-0001](CHECKPOINT.md#dkl-di-0001) | Avoid `sudo` command | FATAL
+| [DKL-DI-0002](CHECKPOINT.md#dkl-di-0002) | Avoid sensitive directory mounting | FATAL
+| [DKL-DI-0003](CHECKPOINT.md#dkl-di-0003) | Avoid `apt-get upgrade`, `apk upgrade`, `dist-upgrade` | FATAL
+| [DKL-DI-0004](CHECKPOINT.md#dkl-di-0004) | Use `apk add` with `--no-cache` | FATAL
+| [DKL-DI-0005](CHECKPOINT.md#dkl-di-0005) | Clear `apt-get` caches | FATAL
+| [DKL-DI-0006](CHECKPOINT.md#dkl-di-0006) | Avoid `latest` tag | WARN
 || [Dockle Checkpoints for Linux](CHECKPOINT.md#dockerdockle-checkpoints-for-linux) |
-| [DKL-LI-0001](CHECKPOINT.md#dkl-li-0001-avoid-empty-password) | Avoid empty password | FATAL
-| [DKL-LI-0002](CHECKPOINT.md#dkl-li-0002-be-unique-uidgroups) | Be unique UID/GROUPs | FATAL
-| [DKL-LI-0003](CHECKPOINT.md#dkl-li-0003-only-put-necessary-files) | Only put necessary files | INFO
+| [DKL-LI-0001](CHECKPOINT.md#dkl-li-0001) | Avoid empty password | FATAL
+| [DKL-LI-0002](CHECKPOINT.md#dkl-li-0002) | Be unique UID/GROUPs | FATAL
+| [DKL-LI-0003](CHECKPOINT.md#dkl-li-0003) | Only put necessary files | INFO
 
 ## Level