Extend default gitleaks config; add secretscan exception for K8s Sealed Secrets

[RebeccaMahany]

Updates our config generation so that we can extend the default config with our own overrides.

This was a bit difficult because of two issues with global state in upstream packages:

• The viper global var, which we'd previously noted with a workaround -- but this workaround no longer works when we extend the default config: https://github.com/gitleaks/gitleaks/blob/master/config/config.go#L377. This results in data races in tests.
• The config package var extendDepth, which quickly exceeds the maxExtendDepth of 2 across our test cases, despite parsing new config objects each time. This results in empty configs in every test except the first two that run, because gitleaks will no longer pull in the default config.

I solved this with a package-level config, configErr, and newConfigOnce sync.OnceFunc. I am not thrilled with the solution, but I couldn't come up with anything better. (Calling viper.MergeConfig didn't work -- it doesn't let us do partial rule overrides. I didn't want to re-implement config.extend here and write merge logic from scratch, either.)

This PR also adds an exception for K8s Sealed Secrets, as documented in gitleaks/gitleaks#1728, and test for same. Getting to add exceptions like these is the motivation for this PR. I plan to move isEmptyVariable and hopefully isEncryptedJWTFamilyValue to the config as well.