kaniko trigger AWS GuardDuty critical issue

[Allen-yan]

We deployed the tekton/kaniko in aws eks. And AWS GuardDuty , a threat detection service, found there is a critical issue in kaniko building process:

A container has executed a newly created binary file.

The kaniko image version:
gcr.io/kaniko-project/executor:v1.18.0@sha256:f085ac43d71fc24b4b5a57596eee04e2ea0e85ed43d923760911049dcc00aa2e

It starts from /tekton/bin/entrypoint --> /kaniko/executor --> /bin/dash --> /usr/bin/wget. It seems that the executor wget something than compile it and execute it .

The kaniko executor get and compile the image is OK，why execute it?

[Allen-yan]

I ask aws support about the issue.
They give me following info

The goal of Execution:Runtime/NewBinaryExecuted is to notify that a newly created or recently modified binary file in the container has been executed. This is achieved by collecting and transmitting open() system calls with the O_WRONLY, O_RDWR, O_CREATE flags and associating them with exec() system calls. When the creation of a new binary file through an open() system call and its subsequent execution are observed, this discovery is generated.