I think they will answer the question if you can figure out the answer, "is my source code much less likely to be read by an attacker than a database?"
I would suggest that this is not the case - perhaps your source is somewhat less prone to leak, depending on how something is backed up, etc. Despite this, I doubt that it is so less likely that you can neglect the risk, given that you do not neglect the same risk for the database. The reason that the passwords in the database must be salted / hashed is not because there is some special property of the databases, which means that attackers can view their contents [*], because attackers can either look differently at all kinds of things.
In fact, the source code may be even more likely to leak than the database, given that anyone who works on the system may need access to the source, while not everyone on the system needs access to the contents of the live database. It's not that I thought your developers were dishonest (if you have them, you have worse problems than a password leak), just so that the logistics around the exchange source can introduce more (or just different) ways that it can accidentally flow than logistics around db backup.
Personally, in your situation, I would create a small file on the server containing a hashed / salty password, and about nothing. Users installing different instances of the application can create their own versions of this file containing their own password, separately from the actual application code. They should block it with the same write restrictions as the source code.
Calling this file “read-only database” or “part of the server code” does not affect how easy it is for an attacker to view it, although it can affect whether you refer to the password as “hard”.
[*], of course, there are potential flaws specific to specific databases, SQL injection attacks, or something else. This is not a decisive reason why passwords in databases should be salted and hashed.