feat: warn when picking up .grype.yaml from CWD

[ChrisJr404]

Closes #3427.

Grype's default fangs config search walks the current working directory before ~/.grype.yaml and the XDG locations, so a hidden .grype.yaml (or .grype/config.yaml) sitting in CWD is silently applied. @joshbressers flagged this on the issue: "I'm not entirely comfortable having Grype read a hidden file in the CWD without any sort of warning." This change adds the warning.

What this does

On startup, if grype is about to pick up a config file from CWD via the implicit finder, it logs:

[0000]  WARN using configuration file from current directory: .grype.yaml

The warning suppresses itself when the file came from anywhere explicit:

• --config / -c <path> (and the --config=path, -c=path, -cpath short forms)
• GRYPE_CONFIG environment variable
• ~/.grype.yaml or any XDG config location

It also stays quiet when there's no CWD config to warn about.

Where it lives

A small cmd/grype/cli/internal/configwarn package owns the detection so the logic is unit-testable without the whole config loader stack. The detector uses the same extension list viper supports (yaml, yml, json, toml, properties, etc.) and checks both finder layouts that fangs uses by default: ./.grype.<ext> and ./.grype/config.<ext>.

The hook fires from the existing WithInitializers block in cmd/grype/cli/cli.go, right after the logger is hoisted into place, so the warning goes through the regular logging pipeline (respects --quiet, log file routing, redaction, etc.).

Manual verification

Built locally and verified the four cases:

$ cd /tmp/has-cwd-cfg && grype purl
[0000]  WARN using configuration file from current directory: .grype.yaml
...

$ cd /tmp/has-cwd-cfg && grype -c .grype.yaml purl
[0000] (no warn)
...

$ cd /tmp/has-cwd-cfg && GRYPE_CONFIG=.grype.yaml grype purl
[0000] (no warn)
...

$ cd /tmp/no-cwd-cfg && grype purl
[0000] (no warn)
...

Subdir form (.grype/config.yaml) also fires correctly.

Tests

• cmd/grype/cli/internal/configwarn/configwarn_test.go covers: no file present, each supported extension, subdir layout, all --config / -c / --config= / -c= / -cpath forms, GRYPE_CONFIG env, and a trailing--c-with-no-value edge case (treated as not explicit, so the warning still fires).
• go test ./... passes for the whole tree minus pre-existing docker-daemon-required integration tests in this environment (test/integration, test/cli, grype/pkg image fixtures), which fail with "could not build docker image" unrelated to this change.
• go vet ./cmd/... is clean. The pre-existing vet warnings on grype/db/v5/differ, grype/db/v6/installation, and grype/version are present on main already.

Notes

• I picked WARN over INFO because the default log level is warn, which matches the spirit of the issue (the user has to actually see it for it to help).
• Wording: "using configuration file from current directory: " is short and tells the user both that something happened and where to look.