diff --git a/lib/config/secrets.ts b/lib/config/secrets.ts
index bb1bfd2481d7bf9d4087e0995e63dacf1dcf4428..c9eee725a6de0f02d59e62985f7a7d2bdfc57b66 100644
--- a/lib/config/secrets.ts
+++ b/lib/config/secrets.ts
@@ -113,12 +113,15 @@ function replaceSecretsinObject(
   return config;
 }
 
-export function applySecretsToConfig(config: RenovateConfig): RenovateConfig {
+export function applySecretsToConfig(
+  config: RenovateConfig,
+  secrets = config.secrets
+): RenovateConfig {
   // Add all secrets to be sanitized
-  if (is.plainObject(config.secrets)) {
-    for (const secret of Object.values(config.secrets)) {
+  if (is.plainObject(secrets)) {
+    for (const secret of Object.values(secrets)) {
       add(String(secret));
     }
   }
-  return replaceSecretsinObject(config, config.secrets);
+  return replaceSecretsinObject(config, secrets);
 }
diff --git a/lib/workers/repository/init/merge.ts b/lib/workers/repository/init/merge.ts
index aee5befe6b0a09c30de672abb5ea1fc82e257195..31d2bbffb05453f911b922aef81c3def3eed10b2 100644
--- a/lib/workers/repository/init/merge.ts
+++ b/lib/workers/repository/init/merge.ts
@@ -8,6 +8,7 @@ import { decryptConfig } from '../../../config/decrypt';
 import { migrateAndValidate } from '../../../config/migrate-validate';
 import { migrateConfig } from '../../../config/migration';
 import * as presets from '../../../config/presets';
+import { applySecretsToConfig } from '../../../config/secrets';
 import { RenovateConfig } from '../../../config/types';
 import {
   CONFIG_VALIDATION,
@@ -218,6 +219,10 @@ export async function mergeRenovateConfig(
     );
     npmApi.setNpmrc(resolvedConfig.npmrc);
   }
+  resolvedConfig = applySecretsToConfig(
+    resolvedConfig,
+    mergeChildConfig(config.secrets || {}, resolvedConfig.secrets || {})
+  );
   // istanbul ignore if
   if (resolvedConfig.hostRules) {
     logger.debug('Setting hostRules from config');