If your focus is primarily image file types then Image safely opens those files and errors if they aren’t valid image files (irrespective of the suffix). This is because libvips, which does all the work, is very conservative and security conscious about what it considers a valid image file.

While I don’t know of any lib to do virus scanning I want to call your attention to the fact that if your restrictions to the file type are based on the extension, then they can be bypassed. Instead, a better approach is to perform this check based on the mime type of the file, but not based on the one passed in the request headers, you need to do it yourself on your application.

Another thing to have in mind is that, before processing it in your application, you may want to copy the uploaded file to a temporary path with a random name. If you expose the uploaded file to the public, then you should use a different name from the one given by the client.

More best pratices can be found at File Upload - OWASP Cheat Sheet Series.

I do not know of any Elixir library that will do virus scanning, but using the System.cmd function you can call an external virus scanner to scan the uploaded file.