dev/sg: check dockerfiles for 'apk add' with version pinning

Created by: bobheadxi

hadolint does not support custom rules, only adjustments of levels of its existing rules. Rather than fork hadolint, I've decided to implement a custom parser to allow us to configure custom checks over Dockerfiles via sg check docker, and updated CI to use it.

Also fixes outstanding issues.

Closes https://github.com/sourcegraph/sourcegraph/issues/31189 - see issue for context. tl;dr usage of = dependency pinning causes frequent failures in main that have nothing to do with changes being made, e.g. https://github.com/sourcegraph/sourcegraph/pull/31134:

https://github.com/sourcegraph/sourcegraph/blob/566c162d19033e2d4e3af0b65f23b83702805aac/.hadolint.yaml#L1-L11

Big diff is mostly go.sum to pull in the official dockerfile parser.

Exploration to annotate this in CI: https://github.com/sourcegraph/sourcegraph/pull/31220

Test plan

Manual testing + unit tests + example build https://buildkite.com/sourcegraph/sourcegraph/builds/131507#361d106c-a0d6-493c-9a30-85b85c360168/87-90 + main dry run post-fix: https://buildkite.com/sourcegraph/sourcegraph/builds/131518

The introduced moby dependency is not too big of a weight gain as far as binary output goes:

❯ du -h $(which sg) # build from main
 59M    /Users/robertlin/go/bin/sg
❯ du -h ./sg # built from branch
 60M    ./sg