14+for base_image_path in $(find containers -regextype egrep -regex "containers/.*\.(tgz|tar|tar\.xz|tar\.gz)$" -print); do

Isn't that just `for base_image_path in containers/*.{tgz,tar,tar.xz,tar.gz}; do`?

15+    echo "Loading base image ${base_image_path##*/}"
16+    if tar -tf $base_image_path | grep -q "^manifest.json"; then

Quoting please. Can there ever be a container tarball without manifest?

17+        CONFIG_BLOB=$(tar -xOf $base_image_path manifest.json | paste -s | sed -n -e 's/^.*"Config"\s*:\s*"\([^"]*\)".*$/\1/p')

What does paste do here? For json, please use jq...

18+        if [ -n "$CONFIG_BLOB" ]; then

Can this ever be empty?

19+            CONFIG_JSON=$(tar -xOf $base_image_path "$CONFIG_BLOB" | paste -s)

Quoting.

20+            CONTAINER_REFERENCE=$(echo "$CONFIG_JSON" | sed -n -e 's/^.*"org.opensuse.reference"\s*:\s*"\([^"]*\)".*$/\1/p')
21+            CONTAINER_NAME=$(echo "$CONFIG_JSON" | sed -n -e 's/^.*"org.opensuse.reference"\s*:\s*".*\/\([^:/]*\):.*".*$/\1/p' | tr '[:lower:]-' '[:upper:]_')
22+            sed -i"" \
23+                -e "s#%BASE_${CONTAINER_NAME}_REFERENCE%#${CONTAINER_REFERENCE}#g" \
24+                -e "s#%BASE_${CONTAINER_NAME}_DIGEST%#${CONFIG_BLOB}#g" \

The digest here needs to be the sha256 of the manifest, not the config blob.

25+                "${files[@]}"
26+        fi
27+    fi
28+done