diff --git a/lib/util/sanitize.spec.ts b/lib/util/sanitize.spec.ts
index fb8c16e9f3df939236049b4a9e5e611fad785b35..c38c9e3574e24751baddda06cf58d6454f18ea99 100644
--- a/lib/util/sanitize.spec.ts
+++ b/lib/util/sanitize.spec.ts
@@ -11,6 +11,7 @@ describe('util/sanitize', () => {
   });
 
   it('sanitizes empty string', () => {
+    addSecretForSanitizing('');
     expect(sanitize(null as never)).toBeNull();
     expect(sanitize('')).toBe('');
   });
@@ -32,4 +33,10 @@ describe('util/sanitize', () => {
     const outputX2 = [output, output].join('\n');
     expect(sanitize(inputX2)).toBe(outputX2);
   });
+  it('sanitizes github app tokens', () => {
+    addSecretForSanitizing('x-access-token:abc123');
+    expect(sanitize(`hello ${toBase64('abc123')} world`)).toBe(
+      'hello **redacted** world'
+    );
+  });
 });
diff --git a/lib/util/sanitize.ts b/lib/util/sanitize.ts
index 2ea926b1d77c0c459a9eb74c575dd4551a720163..2d830e2d7213cdf32858973ad9cbddbb21fcc3ec 100644
--- a/lib/util/sanitize.ts
+++ b/lib/util/sanitize.ts
@@ -1,3 +1,6 @@
+import is from '@sindresorhus/is';
+import { toBase64 } from './string';
+
 const secrets = new Set<string>();
 
 export const redactedFields = [
@@ -26,9 +29,19 @@ export function sanitize(input: string): string {
   return output;
 }
 
+const GITHUB_APP_TOKEN_PREFIX = 'x-access-token:';
+
 export function addSecretForSanitizing(secret: string): void {
+  if (!is.nonEmptyString(secret)) {
+    return;
+  }
   secrets.add(secret);
-  secrets.add(secret?.replace('x-access-token:', '')); // GitHub App tokens
+  secrets.add(toBase64(secret));
+  if (secret.startsWith(GITHUB_APP_TOKEN_PREFIX)) {
+    const trimmedSecret = secret.replace(GITHUB_APP_TOKEN_PREFIX, '');
+    secrets.add(trimmedSecret);
+    secrets.add(toBase64(trimmedSecret));
+  }
 }
 
 export function clearSanitizedSecretsList(): void {