Pin SHA digests of used Docker Hub images

[underyx]

Many of the Docker-based tools use third party images, such as koalaman/shellcheck:v0.7.0 for shellcheck. If koalaman's Docker account were to be compromised, an attacker could push to the same tag a new image which executes arbitrary code.

Instead, we could use the koalaman/shellcheck:v0.7.0@sha256:9207d1d965f3aa6795c98690f86905203d0b0e9bc388c27162201cf157a63cc5 image, which is immutable.