After all, part of the source code can sometimes be looked at by third-party tools.

If this is a backend, what other tools can you look at without direct access to the source code and file system of the server where it runs?
And so from the options, how to remove it from the sources - to pass it as a parameter in the config or in environment variables.
Or use some kind of secure storage.
For example Vault or Azure Key Vault.

What and most importantly from whom are you protecting yourself? the answer depends on it and it will be very different.
If you really need to somehow protect data from the provider, their administrators who scan the machines of their clients for 'what to profit from', then critical lines should not be stored in files in principle, but only in RAM, requesting it 'on the side'.
This option is only suitable for running services/applications and not http rest based on cgi or web server modules (they will need to start their own service, requests to which will already be vulnerable). The method will not give an absolute guarantee, since, having access to the backend code files, the provider can analyze and calculate them and replace the method with a less secure one, in especially neglected cases, the provider can delve into the machine’s RAM, but this is a particularly complicated and expensive method, which means unlikely.
At the time of launch, the application asks the third-party service for a password, the third-party service transmits it, for example, after manual confirmation by the operator/owner.
Tips
- do not use standard technologies and tools offered by the provider,otherwise the question arises from whom then are you defending yourself ?
- be sure to implement manual confirmation by the operator, the administrator knows when the web server is restarted and if it receives a request to send the password at another time - a reason to worry
- do not make this question a response system (such as a backend via rpc accesses a remote service and it immediately returns the password) , since it is easy to calculate it in the code and simulate a call, the backend requests, but the service will start working only after the corresponding request arrives at it
ps an example of a simple implementation if you need to protect data from an invited administrator (we will omit the option of infecting him with a Trojan for now, then it will be fixed in other ways) - all configs are stored in clear text in a certain directory, by default there is test data to check the project's performance, and on the combat service or in 'in production' mode, the correct configs are added to this directory, for example, by mounting from encfs, this operation is done by a special person at the time of restarting the server manually.
It goes without saying that the administrator should not deal with configuration, but create and configure automatic deployment tools (for example, a docker image or ansible configs), i.e. at least two people - one does all the work but does not have access to passwords, only test data, the other only checks the work and launches it into battle.
Divide and conquer - don't keep everything in one place, split the service into several so that critical information can be placed separately from the main logic in the form of a simple and oak module that requires minimal and rare maintenance

Don't use a password in code. And don't store it in the git either.