The following requirements are relevant for technical secrets (e.g. passwords of technical users, API keys, credentials or private keys) used either in production or that are generally used to protect access to sensitive systems or data:
Secrets MUST be encrypted when stored with the source code (otherwise they need to be separated from it).
Access to secrets MUST be restricted.
For assurance class >= [HIGH]
Secrets MUST be stored in a secure secret store (vault) or keystore)
Secrets MUST be stored encrypted
Secrets SHOULD be rotated at least one per year.