This site says it is best to keep API keys in environment variable out of the code. And here
Storing Credentials Securely
You should take great care to ensure your credentials are stored securely. If someone obtains your api_key or an access_token with the send or all permission, they will be able to send all the bitcoin out of your account.
In particular, you should avoid storing these credentials in your code base (which gets added to version control) or in your database unless you have encrypted them securely. Separating credentials from your code base and database is a good practice.
API key access is turned off by default on all accounts. So if you decide to do an API key integration, you will need to enable it first and take the necessary steps from then on to store it securely. You can always regenerate your API key (or disable it) if you feel it has been compromised.
However, whenever a program crashes, it often sends the environment as part of the crash report:
https://lists.launchpad.net/openjdk/msg01149.html
Environment Variables: ...
So... which is it? I don't see why storing keys in the environment is any safer than the source code. If someone gets to the system, they have access to both.