This is the app I've used in the past: https://play.google.com/store/apps/details?id=com.scottyab.s...

Also I was under the impression that SafetyNet would only pass on stock ROMs (to include official CyanogenMod builds lacking root). Is that not true? Will it also pass on any custom ROM lacking root?

Edit: According to http://androiding.how/use-android-pay-cm14-cm13/, SafetyNet (the tamper detection API in use by Android Pay and Pokemon Go) will only pass on official stable (non-nightly) releases of CM13/CM14 that have root disabled in the Developer options. It will not pass on debug releases of firmwares/ROMs, including Android 7.0 Nougat based CM14 and Android 6.0 Marshmallow based CM13 ROMs.

The SafetyNet API returns multiple booleans. The stricter version of the detection enforces that the system is an Android CTS-compliant device, but there are several levels below that. Apps using SafetyNet can decide how much they enforce. Unfortunately this testing app you linked doesn't seem to surface this at all and only shows the highest level (CTS).

Well, it's not like you haven't seen bloggers talking through their hats before, right? The amount of cargo cult nonsense in Android "news" kills me.

SafetyNet is completely fine with a nightly of CM13 (on Samsung Galaxy S5) after the su binary and it's accompanying symlink are renamed to get them out of sight (and effectively disabled). You don't have to touch the settings in developer options at all because SafetyNet isn't going on some extended search to look for the setting. It's just looking for the presence of an su binary in the filesystem in a few places during that phase of its checks.

SafetyNet passes on my Nexus 4 running an unrooted currentish CyanogenMod nightly build.

Haven’t tried any other Android custom roms.