Google Cloud Registry requires the storage.admin permission in order to enumerate repositories in a registry. This is done via wildcards. If the credentials you pass into the defender has readonly permissions it will be able to scan specific repositories in the registry as expected, but wildcards will fail.
Scan a repository in your registry
Add in a wildcard
At this step nothing should happen. No progress bar, no errors.