Static analysis warnings are frequently ignored due to high manual triage and remediation costs, leading to accumulated technical debt. This paper proposes the first LLM-agent-based framework for automated warning classification and repair: it dynamically acquires contextual information via iterative tool invocation—including code search, build execution, SonarQube analysis, and test running—and generates targeted fixes; a novel three-step heuristic verification mechanism ensures repair correctness. Evaluated on 106 real-world Java projects, our approach achieves a 96.8% plausible fix rate and an 86.3% correct fix rate, with an average per-warning latency of 4 minutes and cost of just $0.029. Key contributions include: (1) the first end-to-end, LLM-agent-driven closed-loop system for static analysis warning resolution; (2) a lightweight, general-purpose architecture requiring no LLM fine-tuning; and (3) empirical validation that LLM agents can reliably repair complex, real-world code defects in industrial engineering settings.

Static analysis tools are widely used to detect bugs, vulnerabilities, and code smells. Traditionally, developers must resolve these warnings manually. Because this process is tedious, developers sometimes ignore warnings, leading to an accumulation of warnings and a degradation of code quality. This paper presents CodeCureAgent, an approach that harnesses LLM-based agents to automatically analyze, classify, and repair static analysis warnings. Unlike previous work, our method does not follow a predetermined algorithm. Instead, we adopt an agentic framework that iteratively invokes tools to gather additional information from the codebase (e.g., via code search) and edit the codebase to resolve the warning. CodeCureAgent detects and suppresses false positives, while fixing true positives when identified. We equip CodeCureAgent with a three-step heuristic to approve patches: (1) build the project, (2) verify that the warning disappears without introducing new warnings, and (3) run the test suite. We evaluate CodeCureAgent on a dataset of 1,000 SonarQube warnings found in 106 Java projects and covering 291 distinct rules. Our approach produces plausible fixes for 96.8% of the warnings, outperforming state-of-the-art baseline approaches by 30.7% and 29.2% in plausible-fix rate, respectively. Manual inspection of 291 cases reveals a correct-fix rate of 86.3%, showing that CodeCureAgent can reliably repair static analysis warnings. The approach incurs LLM costs of about 2.9 cents (USD) and an end-to-end processing time of about four minutes per warning. We envision CodeCureAgent helping to clean existing codebases and being integrated into CI/CD pipelines to prevent the accumulation of static analysis warnings.