← Back

How to share a screenshot safely on GitHub or Slack

Before you paste a screenshot into an issue, a PR or a channel, do three things: crop to just the lines that show the problem, cover anything secret or internal with a solid opaque block rather than a blur, and open the exported file to check it before you drop it in. A dev screenshot leaks more than the bug. A token sits in a logged request header, an internal hostname hides in a curl command, a customer's email is one line down in the log, and another channel is visible at the edge of the window. And once it is posted, you often cannot take it back: GitHub keeps the image on a public URL after you delete the comment, and Slack keeps it searchable across the org.

What actually leaks in a developer screenshot

The bug is rarely the only thing in the frame. Issue reports are unstructured by nature, a mix of prose, pasted logs, shell commands, stack traces and screenshots, which is exactly why automated secret scanners miss so much of what ends up in them. Here is what tends to ride along in a screenshot of code, a terminal or an error, where it hides, and how to share the shot clean.

What leaksWhere it hides in the frameHow to share it clean
A token, key or passwordA logged request header, a printed .env, an Authorization: line, a connection string in a stack trace.Cover with an opaque block on-device, export fresh, then rotate the secret. See the key-specific guide below.
Internal hosts and URLsA browser address bar, a curl command, an internal error page, an npm registry line.Crop them out, or cover the host with a solid fill.
People's names and emailsA git blame gutter, a commit author, a Slack sidebar, an IDE account badge in the corner.Crop tight to the code; keep the chrome out of the shot.
Customer data in a log lineOne console or log row below the error: an email, an order ID, a real user record.Cover the offending line before you crop, then re-check.
A ticket or internal IDA window title, a browser tab, a Jira key in the path.Crop the title bar and tabs away.
Another channel or DMThe edge of the window behind your terminal, a notification banner mid-capture.Crop tight first, or close the other window before you capture.

Secrets in the frame: cover them, then rotate

A secret caught in a screenshot is the worst case, because it is both the easiest thing to reconstruct and the most damaging to leak. Never blur or pixelate it. A key or token is a short, structured string in a known monospace font, which is precisely the input a solver like Depix or Bishop Fox's Unredacter recovers best, walking it character by character. Cover it with a solid opaque block instead. The full playbook for that one case, including why the cover has to be baked into a fresh file, is in how to hide an API key in a screenshot.

Then treat the key as burned. Rotate it, do not simply hope nobody looked. The xAI leak in 2025 is the cautionary version at scale: a private key with access to around sixty internal Grok models, including ones built on SpaceX and Tesla data, sat exposed for roughly two months and stayed usable the whole time, even after it was flagged. A secret that has been on a screen has to be assumed compromised the moment the image leaves your machine. Roughly 28 million secrets were pushed to public GitHub in 2025 alone, and the ones tucked inside images are the hardest for any scanner to catch, which is exactly why they linger.

Where GitHub and Slack actually keep your image

The reason to get the screenshot right before you post it is that you usually cannot un-post it. When you drag an image into a public repo issue, PR or comment, GitHub does not store it in the repo. It uploads it to its CDN and gives it an anonymized URL on user-images.githubusercontent.com that anyone can open with no login at all. Deleting the comment, or even the whole repository, does not delete that file. The URL stays live, and the only way to actually purge it is to open a ticket with GitHub Support. Attachments in private repos were changed to require authentication, so those are safer, but anything you dropped into a public repo should be treated as permanently public from the moment you hit comment.

Slack fails a different way. A screenshot you post to a channel is searchable by everyone in that channel, and it does not age out unless someone set a retention policy. On Business+ and Enterprise Grid plans an admin can export whole channels, including private channels and DMs, so a shot you meant for one teammate can surface in a workspace export or a legal hold later. The in-app search is scoped to what you can see, which lulls people, but the export and discovery tooling above it is not. In both cases the safe assumption is the same: once the pixels are uploaded, they are out of your hands, so the cleaning has to happen before.

The clean way to share one

The method is short and it is the same every time. This is redaction applied to a dev screenshot; for the full mechanics on a Mac, including why each step matters, see how to redact a screenshot on a Mac.

  1. Crop tight to the lines that show the problem. Most leaks are in the chrome around the code, so a tight crop removes them for free.
  2. Cover any secret or internal detail with a solid, fully opaque block, or a destructive scramble. Never a blur or a pixelation, both can be reversed.
  3. Export a brand-new flattened file. Do not save over the original, and do not leave a cover sitting on a separate editable layer over intact text.
  4. Open the exported file, not the one you were editing, and look. Zoom in on every covered area, try to select text over it, and confirm nothing survived at the edges.

If you want the wider picture on what a screenshot gives away and how to decide whether to send one at all, I wrote is it safe to share screenshots.

When you can, paste the text instead

The safest screenshot of code is often not a screenshot. If the content is the point, a stack trace, a config, a command, a diff, paste it as text in a fenced code block. Text is searchable, copyable and diffable by whoever is helping you, and a plain code block has no background window, no logged header and no image metadata to leak. You still redact it, a token pasted as text is still a leaked token, but you remove a whole category of accidental capture. Reach for a screenshot only when the visual state is what matters: a rendered UI, a chart, a diff view with color, or an error dialog you genuinely cannot copy out of.

How ScrubShot handles it

I built ScrubShot to make the clean path the fast one, so cropping and covering happens before anything touches GitHub or Slack. Press Fn + Space and it captures the whole screen with ScreenCaptureKit and opens it in an editor. You crop afterwards, so you can grab the terminal and then trim away the tab bar, the sidebar and the window behind it.

For the secret itself, the Scrub tool is the part that matters. A normal pixelate sets each block to the average of the pixels beneath it, which is the fixed mapping Depix and Unredacter solve. ScrubShot does not do that. It uses a content-independent scramble: each block is filled from pixels sampled at random across the whole selected region, so the pattern is decoupled from whatever sat underneath and there is no per-block relationship to the original characters to solve for. It reverses to nothing by design, and the scramble is baked straight into the image, so an Authorization header or a connection string is gone, not hidden on a layer someone can peel off.

The capture, scrub and share flow makes no network connections, so a screenshot with a key or a client's data in it never leaves your Mac while you are cleaning it. To be precise, the app talks to a server only for the free-trial check, license activation and update checks, and that request carries a hashed machine identifier and your license key, never any image data. ScrubShot runs on macOS 14 and later, on both Apple Silicon and Intel, and it needs Screen Recording and Accessibility permission to capture the screen and to see the Fn shortcut.

FAQ

How do I share a screenshot of code safely?
Crop to just the lines that show the problem, cover any secret or internal detail with a solid opaque block (never a blur, which can be reversed), export a fresh file, and open that file to check before you paste it. Where the point is the code itself, paste it as text in a fenced block instead of a screenshot, so a reviewer can copy it and nothing hides in the pixels.
Are GitHub issue attachments public, and can people still see one after I delete the comment?
An image dropped into a public repo issue, PR or comment is stored on GitHub's CDN at a user-images.githubusercontent.com URL that anyone can open without logging in, and that URL stays reachable even after you delete the comment. Deleting the comment does not delete the file; you have to ask GitHub Support to purge it. Attachments in private repos were changed to require authentication, but treat anything you posted in a public repo as permanently public.
Should I blur a secret in a screenshot?
No. A blur or pixelation of a short, structured string in a known font, which is exactly what a token or key looks like, can be reconstructed by a solver such as Depix or Bishop Fox's Unredacter. Cover it with a solid opaque fill or a content-independent scramble instead, export a fresh file, and rotate any key that was ever on screen, because you should assume it leaked.
Is it better to paste code as text or as a screenshot?
Paste it as text whenever the content is the point. Text in a fenced code block is searchable, copyable and diffable by whoever is helping you, and it has no background window, no secret in a logged header and no metadata to leak. Use a screenshot only when the visual state is what matters, such as a rendered UI, a graph, or an error dialog you cannot copy.
Does ScrubShot upload my screenshots?
No. The capture, scrub and share flow makes no network connections, so a screenshot with a token or a customer's data in it never leaves your Mac. The app contacts a server only for the trial check, license activation and update checks, and those requests carry a hashed machine identifier and your license key, never any image data.

Try it

ScrubShot is a one-time $30 purchase with a seven-day free trial, no account and no card up front. It runs entirely on your Mac.

Get ScrubShot