feat: external tools if not installed run via docker

[miki725]

• [x] Followed the steps in the contributor's guide: https://crashoverride.com/docs/other/contributing#filing-the-pull-request
• [x] PR title uses semantic commit messages
• [x] Filled out the template to a useful degree
• [x] Updated CHANGELOG.md if necessary

Description

previously chalk would always try to install the external tool on the host system which in some cases required some system dependencies like pipx or python3 to be available for semgrep. Right now the precedence is:

1. use installed tool
2. use docker (if present)
3. install tool

This should minimize any external system dependencies and should allow to bundle any tool configs in a container which can be customized via the config:

tool.syft.syft_container = "mysyft:latest"

In addition some logging was improved in tool runtime to help in debugging what tool ran and what keys it generated.

Also semgrep ci does not allow to specify target for scanning which means that it was always scanning cwd() which is incorrect for example in case of docker builds when context is outside of cwd(). Now semgrep scan is used which allows to specify target for scanning.

Testing

➜ make tests args="test_plugins.py::test_semgrep test_plugins.py::test_syft_docker  -x --logs"

[miki725]

With this PR, we now only test the run-via-docker approach, right? Should we test the case where docker is not available? If yes, I'm OK with us leaving that until later (and opening a ticket to track it) if you're also happy with that.

had to adjust some things but done in 9db4f14 (#314)